B] Ref. Ares(2020)3512785 - 03/07/2020 


SDN-uSense 


Project No. 833955 
Project acronym: SDN-microSENSE 


Project title: 


SDN - microgrid reSilient Electrical eNergy SystEm 


Deliverable D3.4 


Energy-related Personnel & Processes 
Readiness Evaluation 


Programme: H2020-SU-DS-2018 
Start of the project: 01.05.2019 


Duration: 36 months 
Editor: TECNALIA 
Due date of the deliverable: 30/06/2020 Actual submission date: 03/07/2020 


This project has received funding from the European Union's Horizon 2020 
research and innovation programme under grant agreement No 833955 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 


Deliverable Description: 


Deliverable Name 


Energy-related Personnel & Processes Readiness Evaluation 


Deliverable Number D3.4 
Work Package WP З 
Associated Task T3.4 
Covered Period M2-M14 
Due Date M14 
Completion Date M14 
Submission Date 3/7/2020 
Deliverable Lead Partner TECN 


Deliverable Author(s) 


AYESA, UOWM, IEIT, ESO, CEZ, UBITECH, 8BELLS, ALKYONIS, VETS, IREC, 


EPESA, CW, DIEL, IDENER 


Commission Services) 


Version 1.0 
Dissemination Level 
PU Public X 
PP Restricted to other programme participants (including the Commission 
Services) 
RE Restricted to a group specified by the consortium (including the 


CO Confidential, 
Commission Services) 


only for members of the consortium (including the 


CHANGE CONTROL 


DOCUMENT HISTORY 


[Version | — Date — |Change History Author(s) — | Organisation | 


25/10/2019z 
Section 2. User Roles. 

02 3/3/2020 Compilation of contributions 
of task partners about user 
roles in an energy company. 
Classification of User Roles 

03 30/3/2020 and Smart Grids Assets and 
Threats. 
User Roles Description 


Document Template and 


objectives 


Revision of User Roles 
27/4/2020 description by the 

stakeholders 

Section 2. High level 
4/5/2020 definition of the Validation 

Methodology. 


© SDN microSENSE consortium 
Public document 


Xabier Yurrebaso 


TECNALIA 
Iñaki Angulo 


Iñaki Angulo TECNALIA 
Iñaki Angulo TECNALIA 


Jose Antonio Pérez | IDENER 
Chloe Coral EPESA 
Jaime Argüelles AYESA 
Panagiotis Famelis. | IPTO 
Iñaki Angulo 

Xabier Yurrebaso TECNALIA 

Izaskun 

Santamaria 

Page | 2 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 
Section 4. Cybersecurity 
Capacity Model of an Energy 
Company. 
Section 5. Cybersecurity 
Personnel Competences in 
an Energy Company 
Section 4. More information 
about the Maturity modelis |Ifiaki Angulo 
added. Marisa Escalante 
20/5/2020 Section 5. Моге information |Izaskun eee 
about knowledge categories | Santamaria 
and subcategories is added. 


Section 4. Description of the 
Managed Level Processes 
has been added. 
OF ора ПАВ Section 5. Contributions om 
from task partners have 
been added. 
Section 4 and 5 has been 
1/6/2020 completed. All 
Section 6 has been added 
СЛИНИ ИИСИ 
Review 


Review feedback have been Jin ae ЖЫ 
0.10 26/6/2020 incorporated in the TECNALIA 
Izaskun 
document | 
Santamaria 


[L0 [30/6/2020 |Version 1.0 of the document 


DISTRIBUTION LIST 


05/06/2020 AYESA, UOWM, CERTH 


3/7/2020 AYESA, UOWM, CERTH 
3/7/2020 AYESA 


SAB APPROVAL 
Name Institution Date 
José Antonio Pérez IDENER 22/06/2020 


ACADEMIC AND INDUSTRIAL PARTNER REVISION 


Name Institution Date 
Thomas Lagkas Academic partner: JOWM 19/06/2020 
Jaime Argüelles Industrial partner: AYESA 19/06/2020 
© SDN microSENSE consortium Page | 3 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


Table of contents 


Table Of contents iier eo eee en ehe anta ogni rev pepe Vea oet ee a eU re DEE EDENN EE aa 4 
аа ССНИН ————————————À 6 
Listof TORIES оноон акна аваа RNAI 6 
Paride ————————— 8 
EXECUTIVE Summaria ааа 9 
L. JAtronUHOhus оонанын eae t ae bp rd b eade dud fan vat enemies 12 
1.1 Purpose of THE COCUMENE ООЛ ао Иоан ode deo 12 
1.2 MethodoloBgy.«. ыдым ооо 13 
1.3 Structure: of the-docüment.........:) iret ebore eed De inde На 14 
1.4 Relation to other Work Packages..........cssssccccccscsssessseeececeeseseseeeeeeeceseesenaeaeeeeeesssessneaeeeeseeses 15 
2 Cybersecurity Awareness and Training Model and Evaluation.................................... 17 
2.1 Why we need a Cybersecurity Awareness and Training Model and Evaluation? ................. 17 
2.2 Training Requirements in Cybersecurity Standards ....................... sss 17 
2.2.1 IEC 62443-2-1 Staff training and security awareness... 17 
2.22 NERC CIP-004-06 Cyber Security — Personnel & Тгаіпіпр.............................................. 19 
2.2.3 NISTIR 7628 Guidelines for Smart Grid Cybersecurity. Awareness and Training .......... 21 
2.3 Components of the Cybersecurity Awareness and Training Model and Evaluation............. 23 
2.4 Тагсесацагепсе:. ое о Пе ELE DULL 24 
2.5 User Role Catalogue ии ЕН 24 
2.6 Integration with the SDN-microSENSE Risk Assessment Framework ................................... 26 
3 Activity Roles in ап Energy Сотрапу wicvissssnisssessasovecsenasadssevsesnvsanasvesasnavanssvensacesatanteass 29 
3.1 EPES Stakeholders and Roles.:......... erret cbe Eee ано Алаа 29 
3.2 Matching User Roles with Smart Grid Architecture Model (SGAM |) ..................................... 32 
3.3 Smart Grids Аб E 36 
3.4 Smart Grid Threats fe D 43 
4 ‘Cybersecurity Maturity Model iscssissssscasescssevscisesetsivaeesnciantecnssnstaeandnataccsensievessesenenassens 51 
4.1 People СММ EE 51 
4.2 SDN-microSENSE Cybersecurity Capability Maturity Моае................................................. 52 
4.3 Maturity Levels... саа наанаа o eand a EE E н АНА 53 
4.3.1 аа RET A e 56 
4.3.2 People Managed Level... rotor otra etat ioi rodea ннн аана ынын 56 

© SDN microSENSE consortium Page | 4 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


4.3.3 Competency Managed 1е\е|.................. линии 57 
4.4 People Managed Ргосеѕѕеѕ................................ «ааа... 57 
4.4.1 Training and Development... ssir cneasa Eea aa EEEa NEE 58 
4.4.2 SUPT sede scat eite N О Т КОО 60 
4.4.3 i Tenossalceulneee аана е араа и EE EE АНЕ во, 62 
4.4.4 Communication and Coordination .................... essere nnne 65 
4.5 Competency Managed Ргосе$$е$.............. линии ии иначе анд 67 
4.5.1 Cybersecurity Competency Апаіуѕіѕ........................................«.. nnne nnne nnn 67 
4.5.2 Cybersecurity Competency Веуе!ортепе..................... и иииииииииниииинининининининиие 70 
4.5.3 Workforce Planning. ie rte re teet Tasca euet ана 73 
4.5.4 Participatory Culture ...........ccccessssccececessssessececeseceseesssaeaecesecsseesesaeaecesecuseeseaasaeeeesesssessnaeas 75 
5 Cybersecurity Competency Моде. асгаад анааан еса neds tbsnsscnvisdaaseadadissensoiesbesuens 78 
5.1 Revision of existing Competency MOdels...........ccccccsssccecsestececseneeecsecaeeeesscaeeeeseqaeeeeseqaeeeeseaaes 78 
5.1.1 European e-Competency Framework (е-СЕ.)................................ а... 78 
5.1.2 МТ МЕЕ :"—————————— 80 
5.2 Cybersecurity Knowledge, Skills and Abilities (KSA)......................... esses 81 
5.3 Mab ————— Ó———————— ИрИ 82 
OMEN epe 93 
5.5 АБ. ие О О О КО О О О К Г О ЕЕ 100 
5. ЕУ@Шайой ТООП еее —————————— бука 106 
6.1 eges mc ——Ó—————————— 106 
6.2 COVO FONN pcan EE 107 
6.3 Evaluation Summary TOM oiii eren esee ыи ынан ннан 108 
6.4 Level 2 Evaluation Summary Рогт.......... линии 110 
6.5 Level 3 Evaluation Summary Form .........cscccccssssececeestececsecaeeecseaeeeeseaueeecseaaeeeeseaaeeesseaueeeeneaaes 111 
6.6 Process Assessment FOLIIS... irrito reet reed и rS SNN VENSKI а 112 
6.7 ASSESSIMENE PIOCESSs.ca verses DUE 116 
я. COMCIISIONS ое 118 
CHE е оО ооо ии кои 119 
Annex I. Activity Roles т an Energy Company .............................„..... «анана 120 
© SDN microSENSE consortium Page | 5 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


List of Figures 


Figure 1. Levels and process of the SDN-microSENSE Cybersecurity Maturity Model ......................... 10 
Figure 2. Evaluation tool. Evaluation summary form. ................. esses essentia 11 
Figure 3. Methodology followed to elaborate the SDN-microSENSE Cybersecurity Awareness and 
Training Evaluation Өе К К ЛУ О УО О ое 13 
Figure 4. Deliverable D3.4 relationship within the SDN-microSENSE ...................... eese 15 
Figure 5. IEC 62443-2-1. Cyber Security Management System ................ sse nnne nnns 18 
Figure 6. Components of the Cybersecurity Awareness and Training Model and Evaluation .............. 24 
Figure 7. Energy Chain Risk Assessment basic steps... ennemis 27 
Figure 8. Integration of the Risk Assessment Process with the Cybersecurity Awareness and Training 
Моае[ ——————————————————————— 28 
Figure 9. List of Activity ROl@S...........ccccccccccccscssssssscecececessesesaeeeeeeseeseceuaeeeeeessessesaaaeseseeesessesaaaeeeeeesseeseaaeas 29 
Figure 10. SGAM Framework. ..........ccsssscccceeeesesscsesecececesceseaeaeseescesseseuaeeesecssessesauaeseeeeuseesesauaeeeeeesseeseaaeas 33 
Figure 11. Smart Grid Plane. Domains and hierarchical zones ..................... sees 34 
Figure 12. Smart grid assets. Source ЕМІЅА.................................. аа... 37 
Figure 13. Smart grid threats. Source ENISA ................. cesses nennen enne nnne netta nnns enean nns 44 
Figure 14. People CMM maturity Іемеі5....................................«. аа. 52 
Figure 15. Components of the SDN-microSENSE Cybersecurity Capability Maturity Model................ 53 
Figure 16. Maturity levels of the SDN-microSENSE Cybersecurity capability maturity Model ............. 54 
Figure 17. Process defined in each maturity level. ............... нина ene 55 
Figure 18. European e-Competency Framework (e-CF).................. esses ener 79 
Figure 19. NIST NICE Work Roles... rie ати roe erre dr read sene no ree ее e Pene dedos 80 
Figure 20. NIST NICE. System Administrator Work Во[е............ „линии ennemis 81 
Figure 21. Selection of knowledge, skills and abilities for each User КоІе............................................ 82 
Figure 22. Evaluation tool. Tool description ТОГИП......... линии 107 
Figure 23. Evaluation tool. Evaluation summary ЮГИМ............... линии ини 108 
Figure 24. Evaluation summary form. Compliance degree of each maturity level............................. 109 
Figure 25. Evaluation summary form. Compliance degree of each ргосеѕѕ....................................... 109 
Figure 26. Evaluation tool. Statistical вгарй$.............. ини nnne nennen nn 110 
Figure 27. Evaluation tool. Level 2, People Managed, evaluation summary form. ............................ 110 
Figure 28. Evaluation tool. Level 2 statistical graphs ................... esee 111 
Figure 29. Evaluation tool. Level 3, Competency Managed, evaluation summary form. ................... 111 
Figure 30. Evaluation tool. Level 3 statistical graphs ............cccccccccesssssssececeeecessesscaeeeeeeecessessasseeeeeeesees 112 
Figure 31. Evaluation tool. Staffing Process Assessment Еогт.........................................а....аа. 113 
Figure 32. Evaluation tool. Training & Development Process Assessment Form ............................... 114 
List of Tables 

Table 1. SDN-microSENSE Requirements relevant to the Energy-related Personnel & Processes 
Readiriess Evaluation... Г Г ГГ dnos 15 
Table 2. IEC 62443-2-1. Staff Training and Security Awareness Кедиїгетепї$.................5555............... 19 
Table 3. NERC CIP-004 Personnel & Training Кедиігететпіс.....................................«.«. а.н: 20 
Table 4. NISTIR 7628 SG.AT — Awareness and Training................ esses enne nnne nnns 22 
© SDN microSENSE consortium Page | 6 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


Table 5. Role Activity Description table ............cccccccccccessssssssseeececessesseaeceeceucesssseuaeceeecsseeseauaeeeeeesseesenaees 25 
Table 6. User Roles in an EPES COMPANY...........c:sssccccecscsesessececececessesnaeseeececeesesesaeeeeeesseesesuaeeeeeesseesenaees 31 
Table. оао 33 
Table 8: SGAM! Болтай 3.2: anaa Йа rocas epe hus vocac pete e potuere peer poe doe reed 34 
Table 9: SGAM ZONE Srono rino Ea adea оон 34 
Table 10.Matching User Roles with Smart Grid Architecture Model (SGAM) ...................................... 35 
Table 11. Association between Company roles and Smart Grid АѕѕеЁѕ................................................ 38 
Table 12. Association between threats, threat agents and Smart Grid АѕЅеїѕ..................................... 46 
Table-13. Maturity Levels... omen notet raa aono E Nr a seve ge Deux ыыра КЫНЫНЫН 54 
Table 14. Process description: Training and ремеіортеп\ї.......................................«.«... н. 58 
Table 15. Process description: Staffing ............cccccssssccccecessesesseseeeeecsesesseaeseeeescesscaeaeeeeeessesseasaeeeeeeeseseegs 60 
Table 16. Process description: Work Епуігопгтепі....................................«а ана 62 
Table 17. Process description: Communication and Coordination ...........cccccccsssssssececeeesesssssaeeeeeeeesesens 65 
Table 18. Process description: Cybersecurity Competency Analysis. ................................................... 68 
Table 19. Process description: Cybersecurity Competency Development. .......................................... 70 
Table 20. Process description: Workforce Р!апп!Е......... линии ллы. 73 
Table 21. Process description: Participatory Culture ...........cccccccccecsssssssseceeeeecesseaeaeceeeeesessesaaaeeeeeeeseeeegs 76 
Table 22. Knowledge Categories and Subcategories ................................................анн: 83 
Table 23. Assignment of Knowledge Categories and Subcategory to EPES User Roles. ....................... 90 
Table 24. Knowledge Categories and Subcategories ................... esses enean 93 
Table 25. Assignment of Skill Categories to EPES User Roles....................... cesses 97 
Table 26. Knowledge Categories and Subcategories ................... sess 100 
Table 27. Assignment of Knowledge Categories and Subcategory to EPES User Roles. ..................... 104 
Table 28. Colour code used in the Evaluation Tool .........cccccccssececesssececeeneeceeeeaececsenaeeseseaeeeesenaeeseeeaaes 106 
Table 29. Effort estimation required to carry out the assessment .................. essere nnne 116 
Table 30. Executive Manager Role DeSCriptiOn..............cccecssssecececessesecseceeeeecessesseaeeeeeescessessaeeeeeesseeegs 120 
Table 31. Security Administrator Role БезсирЧоп.......... линии nnne nene 123 
Table 32. Power Plant Operator Role Description. ...........cc:sssccccccsssesssssceeeeeceseessaeeeeceseessesenaeeeseesseseees 129 
Табіе:33: Facility Operator ises eee ана на Аана анаа аанын Нанна 133 
Table 34. Field Engineer Role Оеѕсгірііоп....................................«. аа. 135 
Table 35. System Operator / Engineer Role Description.................. essere 138 
Table 36. Energy Trader Role БезсирЧоп.......... линии линии 141 
Table 37. AMI and Demand Side Manager Role БезсирЧоп.......... линии ини 144 
Table 38. Operational Manager / Communication Administrator Role Description. ......................... 147 
Table 39. Substation Engineer Role БезсирЧоип............... линии 153 
Table 40. Substation Operator Role Description... enne nnne 157 
Table:41.; Installer: Role DescriptiOri: а.о оное toot t oce ета 159 
Table:42. Prosümer Role DescriptiOri..... cete re e e ee ade нет 163 
Table 43. Building Energy Manager Role Description ..................... cessere 166 
Table 44. Developer Role Description .............cccceesesseceeecesessesseaeceeececeeseaueceeecusseseaaeseceeeeussessaaeaeeeesensees 169 
Table 45. IT User Role Description ................ ини 174 
© SDN microSENSE consortium Page | 7 


Public document 


eJ SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


Acronyms 


AMI 
BES 
CCMM 
CSMS 
DER 
DMS 
DSM 
DSO 
e-CF 
ECRA 
EMS 
ENISA 
EPES 
EV 

ICS 


NERC CIP 
NIST NICE 


OT 

P-CMM 
People CMM 
PLC 

RTU 

SCADA 
SGAM 

TSO 


Advanced Metering Infrastructure 

Bulk Electric System 

Cybersecurity Capability Maturity Model 
Cyber Security Management System 
Distributed Energy Resources 
Distribution Management System 
Demand Side Management 

Distribution System Operation 
European e-Competency Framework 
Energy Chain Risk Assessment 

Energy Management System 

European Cybersecurity Agency 
Electrical Power and Energy System 
Electric Vehicle 

Industrial Control System 

Information and Communication Technology 
Intrusion Detection System 

Intelligent Electronic Device 

Information Technology 

Knowledge, Skills and Abilities 


North American Electric Reliability Corporation — Critical Infrastructure 


Protection 


National Institute of Standards and Technology — National Initiative for 


Cybersecurity Education 
Operation Technology 


People Capacity Maturity Model 
People Capacity Maturity Model 
Power Line Communication 
Remote Terminal Unit 


Supervision and Control Acquisition Data System 


Smart Grid Architectural Model 
Transmission System Operator 


© SDN microSENSE consortium 


Public document 


Page | 8 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


Executive Summary 


There is a concern in the energy sector about the low level of cybersecurity training in the company 
staff, that is considered a security risk for the company and the infrastructures it operates. The 
standard IEC-62443-2-1, considers that security awareness for all personnel is an essential tool for 
reducing cybersecurity risks. Companies are aware that they need to improve cybersecurity 
competences of their employees, especially those that operate the most critical assets. However, 
cybersecurity training cannot be done in an improvised way, when the company or society has suffered 
some type of cyber-attack, nor can it be left to the employees’ will. As such, it is necessary to 
institutionalise a set of processes and practices within the organization that provide employees 
cybersecurity awareness and training specific to their working activity. 


SDN-microSENSE has developed a Cybersecurity Awareness and Training Model and an Evaluation Tool 
towards addressing this challenge in order to help energy companies to improve their cybersecurity 
training processes. The model establishes the set of processes and practices that must be 
institutionalised in the company to manage the cybersecurity awareness and training of its personnel. 
The evaluation tool helps to assess the level of maturity reached by the company in the deployment 
of these processes and practices. Furthermore, a competency framework has also been developed 
with a set of cybersecurity knowledge, skills and abilities to be adopted by the people according to 
their working role. 


This document describes the Cybersecurity Awareness and Training Model and the Evaluation Tool, 
that is composed of three main components: 


1. Cybersecurity Capability Maturity Model. 
2. Cybersecurity Competency Model. 
3. Evaluation tool. 


Cybersecurity Maturity Model 


The first component of the SDN-microSENSE Cybersecurity Awareness and Training Model is the 
Cybersecurity Maturity Model. In the context of the SDN-microSENSE, the Cybersecurity Maturity 
Model is defined as a set of processes and practices that have to be institutionalised in a company to 
improve the competency level of its personnel in cybersecurity aspects. The model defines 3 Maturity 
Levels, representing different degrees of organizational capabilities for managing and developing the 
training, skills, and competency processes, to generate a cybersecurity culture inside an energy 
company. Each maturity level, besides the Initial Level, consists of four processes, which identify the 
capabilities that must be institutionalized in the company to achieve a maturity level. Finally, each 
process is composed by a set of practices and tips for achieving the process goal. 


Figure 1 shows the 3 maturity levels (initial, people managed, and competency managed) and their 
processes that have been defined in the Cybersecurity maturity Model. 
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SDN-microSENSE Cybersecurity Capability Maturity Model 


* Competency Development 
90097 |. Competency Analysis 


Managed * Participatory Culture 
* Workforce Planning 


* Training and Development 
People 
p * Communication & Coordination 
Managed * Work Environment 
* Staffing 


Initial 


Figure 1. Levels and process of the SDN-microSENSE Cybersecurity Maturity Model 


Cybersecurity Competency Framework 


A competency model is a framework that defines a set of knowledge, skill and abilities required to 
perform a specific job in a company. The continuous digitisation of the energy sector is forcing the 
workforce to acquire cybersecurity knowledge and skills to avoid unconscious errors, reduce external 
threats, and be able to face adverse events (attacks and incidents) or system failures. The Cybersecurity 
Competency Framework focusses on specific cybersecurity competences (knowledge, skills and 
abilities) that must be adopted by each person according to its working role. 


A total set of 16 user roles have been defined in the model like executive manager, security 
administrator, system operator, engineer, OT manager, installer or IT user. Each role includes 
information about its activity, location, managed assets, possible threats and cybersecurity 
competences (knowledge, skills and abilities). 


Evaluation tool. 


The Evaluation Tool allows a company to measure the maturity level reached in the institutionalisation 
and deployment of training processes defined in the Cybersecurity Maturity Model. Once the user has 
entered information about the practices deployed in the company, the tool will give information about 
the level of maturity reached by the company. 


The tool, developed in EXCEL, contains the following elements: 


е Cover form. It provides general information of the tool: name, version, brief description, 
e Evaluation summary form. 

e Level 2 (people managed) results presentation form. 

e Level 3 (competency managed) results presentation form. 

e Processes assessment form. 
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Figure 2 shows the summary form of the evaluation tool which provides information about the degree 
of deployment of the different maturity processes. 


Cybersecurity Awaraness & Training Model - Evaluation Summary 
Global Graphs 


Description Satisfied Processes Purpose Satisfied 
Identify th rsecurity knowled kills, and рг 
Cybersecurity Competency g Ё АБ gyes щу ENS Ў S Ў dp us 
z abilities required to perform the organization's business 47% 
Analysis TEN к б 3 
activities in the in the most security possible way. 
People are trained and qualified STEAT TEANS Enhance constantly the capability of the workforce to 
Competence according to their roles in the Development perform its assigned tasks and responsibilities. 
company and according to the Enable the workforce’s full capability for making decisions 


Managed 


threats they or the equipment and Participatory Culture that affect the performance of business activities oriented to 
systems they handle may suffer. detect cybersecurity risks. 
Coordinate workforce activities with current and future 
Workforce Planning cybersecurity needs at both the organizational and role 
levels. 
Establish a formal process by which committed work 
regarding cybersecurity needs is matched to unit resources 
and qualified individuals are recruited, selected, and 


transitioned into assignments. 
Ensure that all individuals have the knowledge and skills 
Training and Development required to perform their assignments and activities related 
Managers take responsibility for to cybersecurity. 


People managing and developing the Establish timely communication throughout the organization 
Managed awareness and training of the Communication & and to ensure that the personnel has the skills to share 
workforce. Coordination cybersecurity information and that this information are 
efficiently coordinated. 
Establish and maintain physical working conditions and to 
provide resources that allow individuals and workgroups to 


Work Environment perform the detection of intrusions efficiently and also to 

avoid unintentionally security incidents caused by the 
personnel. 

Awareness and training practices are 

1 Initial applied inconsistently or in reactive No processes have been defined in this level 
manner 
Figure 2. Evaluation tool. Evaluation summary form. 
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1 Introduction 


The standard IEC-62443-2-1 considers “Security awareness for all personnel is an essential tool for 
reducing cyber security risks. Knowledgeable and vigilant staff are one of the most important lines of 
defense in securing a system. It is therefore important for all personnel to understand the importance 
of security in maintaining the safe operation of the system. All personnel should receive adequate 
technical training associated with the known threats and vulnerabilities of hardware, software and 
social engineering" [1]. 


In the same line, the American standard NERC CIP, elaborated by the North American Electric Reliability 
Corporation! gives personnel training an especial relevance. Part CIP-004 of the standard defines a set 
of requirements with the objective to "minimize the risk against compromise that could lead to 
misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an 
appropriate level of personnel risk assessment, training, and security awareness in support of 
protecting BES Cyber Systems." [2]. 


The European Agency of Cybersecurity, ENISA, in its report "Threat Landscape and Good Practice Guide 
for Smart Home and Converged Media", identifies Employees as one of the threat agents in a smart 
grid. By employees the report defines "staff, contractors, operational staff or security guards of a 
company. They can have access to company's resources, and they are considered as both non-hostile 
threats agents (i.e. distracted employees) as well as hostile ones (i.e. disgruntled employees)" [3]. 


On the other hand, a concern exists in the energy companies about the low level of training in their 
staff regarding cybersecurity, what it is considered a real risk in the security of the company and the 
infrastructures they operate. Companies are aware that they need to improve the knowledge of their 
employees, especially those that are operating the most critical assets of the company. 


With this in mind, Task 3.4 of the SDN-microSENSE project, addresses this challenge. In this task a 
methodology and an evaluation tool have been developed that help energy companies to improve and 
assess the readiness and awareness level of both energy-related personnel, EPES directors and 
managers as well as organizational procedures, processes and controls. 


1.1 Purpose of the document 

This document contains the work done in Task 3.4 of the SDN-microSENSE project, Energy-related 
Personnel & Processes Readiness Evaluation, where a Cybersecurity Awareness and Training Model 
and Evaluation Tool have been developed. The model provides the information needed by an energy 
company to institutionalise a set of processes to manage the cybersecurity awareness and training of 
its personnel. The evaluation tool helps to assess the level of maturity reached by the company in the 
deployment of the processes defined in the model. 


! North America Reliability Corporation. https://www.nerc.com/ 
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The Cybersecurity Awareness and Training Model contains the following elements: 


An EPES User Roles catalogue. This catalogue, that it is aligned with the roles presented in D2.2 
document, contains a description of sixteen different user roles that can exist in an energy 
company. For each role the following information is provided: role description, location, smart 
grid assets that are managed, controlled or operated and the threats that can affect the assets. 
A Cybersecurity Maturity Model of the company. This model contains a set of processes and 
the corresponding practices that must be institutionalised to successfully manage 
cybersecurity training in the company. 

A Cybersecurity Competency Framework. This framework contains an exhaustive list of 
cybersecurity knowledge, skills and abilities that are required by each role in an energy 
company. 

An Evaluation Tool. The tool is developed in EXCEL and helps the company to assess its 
maturity level in the deployment of the cybersecurity training process. 


1.2 Methodology 
Figure 3 shows the methodology followed to develop the SDN-microSENSE Cybersecurity Awareness 
and Training Evaluation Tool. The following steps are included: 


Role Analysis Asset | Cybersecurity Cybersecurity Evaluation Evaluation 
ana Classification » EO eue) Б Tool Design B [Tool 

Definition Model Model 8 Development 
| F рй | | | 


Requirements 
Questionnaires 


Figure 3. Methodology followed to elaborate the SDN-microSENSE Cybersecurity Awareness 


1. 


and Training Evaluation Tool 


Role Analysis and Definition. In this first task of the process, the catalogue of the user roles in 
an energy company has been done. For this analysis, deliverable D2.2 and the set of User & 
Stakeholder, Security and Privacy Requirements Questionnaires elaborated by the project 
partners have been used as main inputs. 

Asset Classification. In this task, it has been identified which smart grid assets can be assigned 
to each user role. As input the ENISA's report "Threat Landscape and Good Practice Guide for 
Smart Home and Converged Media" has been used [3]. 
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3. Cybersecurity Competency Model. In this task, we have selected the cybersecurity 


competences (knowledge, skills and abilities) that are required for each user role, from the 
National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework [4]. 
NICE Framework has been elaborated by NIST, the National Institute of Standards and 
Technology”. 

Cybersecurity Capacity Model. In this task, the maturity model to manage the cybersecurity 
training process in a company in a successful way has been defined. For this task People 
Capability Maturity Model (P-CMM) [5], elaborated by the Software Engineering Institute has 
been used as a reference. 

Evaluation Tool Design. In this task a design of an EXCEL tool to help the company evaluate its 
maturity level regarding cybersecurity training has been done. 

Evaluation Tool Development. Finally, the evaluation tool designed in the previous task has 
been developed. 


1.3 Structure of the document 
Deliverable 3.4 is divided into the following sections: 


Section 1 is the introductory part of the report and gives the objective and the methodology 
used to elaborate the document. 

Section 2 provides a general vision of the awareness and training evaluation methodology. It 
analyses cybersecurity standards that include requirements for awareness and training, 
existing capacity methodologies that measure the way company manage people, and 
competence frameworks that defines the knowledges and skill of the people to perform 
specific functions in the company. 

Section 3 provides the user roles classification іп an energy company and the assets and threats 
that cab assigned to each user role. 

Section 4 presents the evaluation process of the maturity of an energy company regarding the 
cybersecurity awareness and training of its personnel. It includes a revision of existing maturity 
models and the description of the SDN-microSENSE Maturity Model. 

Section 5 contains the SDN-microSENSE Cybersecurity Competency Model defined for energy 
companies. 

Section 6 provides information about the EXCEL Tool that has been developed to support 
energy company to evaluate the cybersecurity awareness and training process in the company 
and the competence level acquired by the personnel of the company. 

Annex I provides a detailed description of the SDN-microSENSE User Roles with the assets, the 
treats associated to these assets and the knowledge required for this role. 


? National Institute of Standards and Technology. https://www.nist.gov 
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1.4 Relation to other Work Packages 
Figure 4 depicts the relationships of the deliverable to the other Work Packages (WPs). 


D2.2 | D2.3 


User Secyrity and SDN-nficroSENSE 
Privacy requirements AyChitecture 


WP3 


Risk Assessment 
Methodology 
D3.1 Су 03.4 


Energy-related Personnel & 
Stakeholders Readiness 
Evaluation 


93,5 


Figure 4. Deliverable 03.4 relationship within the SDN-microSENSE 


The main input for D3.4 has been D2.2, "User & Stakeholder, Security and Privacy Requirements" [6]. 
D2.2 identifies the EPES stakeholders, personnel User Roles in EPES organizations and External EPES 
actors. This initial list has been augmented with other roles that were also identified by the project 
partners in the "User & Stakeholder, Security and Privacy Requirements Questionnaires" elaborated 
during the task T2.2 of the project. Section 3.1 provides a complete list of user roles that have been 
considered in this document. 


On the other hand, some SDN-microSENSE requirement have been addresses in D3.4. These 
requirements are listed in Table 1. 


Table 1. SDN-microSENSE Requirements relevant to the Energy-related Personnel & Processes 
Readiness Evaluation. 


И ПО 


The Executive Management should organise regular awareness 
training and certification programs for staff responsible for 


COE implementing and maintaining the security of control systems and s 
networks. 
The Executive Management should also ensure the appropriate 

OR-GR-03 training and certification programs are accessible also for third party High 


contractors and vendors with access to the system. 


Generally, the main result of an evaluation process is a report containing the maturity level reached 
by a company and the practices and processes that have been satisfied by the organization. This 
information could be used by the risk analysis process as a measure ofthe risk due to the human factor 
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in the following way: the lower number of practices deployed in a company, the greater the risk related 
to the human factor. 
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2 Cybersecurity Awareness and Training Model and Evaluation 


2.1 Why we need a Cybersecurity Awareness and Training Model and Evaluation? 
The deployment of a methodology regarding personnel training in a company is essential and 
particularly justified by the following reasons: 


e Cybersecurity standards, like IEC 62443 and NERC CIP, include training requirements to the 
company employees as a way to reduce cybersecurity risks and to be ready to detect and 
respond to a cyberattack. 

e Distractions or unintentional mistakes based on a lack of knowledge can lead to serious 
incidents. 

e The concern that exists in the energy companies about the knowledge level of the workforce 
required to adopt cybersecurity measures to protect critical infrastructures. 


The Cybersecurity Awareness and Training Model and Evaluation contains a set of components that 
can be used by an EPES company to: 


e Define and adopt a set of internal processes that allow the company to acquire a maturity 
level in the way the cybersecurity training is managed. 

e Select which cybersecurity knowledge, skills and abilities are required for the different roles 
that exists in the company. 

e Asses the level of maturity the company has achieved. 


2.2 Training Requirements in Cybersecurity Standards 

It is important that the model can support companies in complying with certain cybersecurity 
standards. An exhaustive analysis of the EPES standards has been elaborated in Deliverable 3.1 [7]. In 
this document only those standards containing requirements for personnel cybersecurity training 
process have been analysed: 


e 2.4.1 IEC 62443-2-1 Staff training and security awareness. 
e 2.4.2 NERCCIP-004-06 Cyber Security — Personnel & Training. 
e 2.4.3 NISTIR 7628 Guidelines for Smart Grid Cybersecurity: SG.AT — Awareness and Training. 


2.2.1 IEC 62443-2-1 Staff training and security awareness 

IEC 62443 [1] is the global standard for the security of Industrial Control System (ICS) networks and 
supports organizations to reduce both the risk of failure and exposure of ICS networks to cyberthreats. 
In part 2-1, the standard recommends a company to develop and implement an organisational-wide 
Cyber Security Management System (CSMS) which includes three processes: 


e Risk analysis, 
e Addressing risk with the CSMS, and 
e Monitoring and improving the CSMS. 
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It is in the second process where the “Staff training and security awareness” is addressed, as it is shown 
in the Figure 5. The objective of the Staff training and security awareness process is to “Provide all 
personnel (including employees, contract employees and third-party contractors) with the information 
necessary to identify, review, address and where appropriate, remediate vulnerabilities and threats to 
IACS and to help ensure their own work practices are using effective countermeasures. ”? 


Monitoring and improving the CSMS 


Figure 5. IEC 62443-2-1. Cyber Security Management System 


IEC 2312/10 


Table 2 lists the requirements that have been defined under the Staff Training and Security Awareness. 


3 |EC 62443-2-1. Industrial communication networks — Network and system security — Part 2-1: Establishing an 
industrial automation and control system security program. 2010. 
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Table 2. IEC 62443-2-1. Staff Training and Security Awareness Requirements 


LITT [мым NK 


R1 Develop a training The organization shall design and implement a cyber security 
program training program 


R2 Provide procedure and All personnel (including employees, contract employees, and 
facility training third-party contractors) shall be trained initially and periodically 
thereafter in the correct security procedures and the correct use 
of information processing facilities 


R3 Provide training for All personnel that perform risk management, IACS engineering, 
support personnel system administration/ maintenance and other tasks that impact 
the CSMS should be trained on the security objectives and 
industrial operations for these tasks. 


R4 Validate the training The training program should be validated on an on-going basis to 
program ensure that personnel understand the security program and that 
they are receiving the proper training. 


R5 Revise the training The cyber security training program shall be revised, as 
program over time necessary, to account for new or changing threats and 
vulnerabilities. 


R6 Maintain employee Records of employee training and schedules for training updates 
training records should be maintained and reviewed on a regular basis. 


2.2.2 NERC CIP-004-06 Cyber Security — Personnel & Training 

The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory 
authority whose mission is to assure the effective and efficient reduction of risks to the reliability and 
security of the grid^. NERC develops and enforces Reliability Standards. One of these standards is the 
NERC CIP (for Critical Infrastructure Protection) plan, which is a set of security requirements designed 
for the assets installed in the Smart Grid with the objective of guaranteeing its security. The current 
version of the standard is version 6 published in June 2014. 


NERC CIP is composed by 14 documents specifying the requirements for different aspects of the 
infrastructure: asset categorisation, security management control, personnel & training, incident 
reporting, recovery plans, configuration change management, etc. The document NERC CIP-004 
includes a set of requirements "to minimize the risk against compromise that could lead to 
misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an 
appropriate level of personnel risk assessment, training, and security awareness in support of 
protecting BES Cyber Systems." [2]. 


Table 3 lists CIP-004 requirements for personnel and training. 


^ https://www.nerc.com/AboutNERC/Pages/default.aspx 
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Table 3. NERC CIP-004 Personnel & Training Requirements 


Da Requirement Description 


R1 Security Awareness Program 
This requirement ensures that people who have authorized electronic or authorized 
unescorted physical access to BES Cyber Assets maintain awareness of the Responsible 
Entity's security practices. 
R1.1 Atleast once each calendar quarter, reinforces cyber security practices. 
R2 Cyber Security Training Program 
This requirement ensures that the training program covers the proper policies, access 
controls, and procedures to protect BES Cyber Systems and are trained before access is 
authorized. 
R2.1 Training content on: 
" Cyber security policies; 
= Physical access controls; 
" Electronic access controls; 
= The visitor control program; 
= Handling of BES Cyber System Information and its storage; 
" Identification of a Cyber Security Incident and initial notifications in accordance with 
the entity's incident response plan; 
= Recovery plans for BES Cyber Systems; 
= Response to Cyber Security Incidents; and 
" Cyber security risks associated with a BES Cyber System's electronic interconnectivity 
and interoperability with other Cyber Assets, including Transient Cyber Assets, and 
with Removable Media. 
R2.2 Require completion of the training specified in Part 2.1 prior to granting authorized access 
to applicable Cyber Assets 
R2.3 Require completion of the training specified in Part 2.1 at least once every 15 calendar 
months. 
R3 Personnel Risk Assessment Program 
This requirement ensures that individuals have been assessed for risk within the last 7 
years. 
R3.1 Process to confirm identity. 
R3.2 Process to perform a seven-year criminal history records check as part of each personnel 
risk assessment. 
R3.3 Criteria or process to evaluate criminal history records checks for authorizing access. 
R3.4 Criteria or process for verifying that personnel risk assessments performed for contractors 
or service vendors are conducted according to Parts 3.1 through 3.3. 
R3.5 Process to ensure that individuals with authorized electronic or authorized unescorted 
physical access have had a personnel risk assessment completed according to Parts 3.1 to 
3.4 within the last seven years. 
RA Access Management Program 
This requirement ensures that individuals with access to BES Cyber Systems and the 
physical and electronic locations have been properly authorized for such access. 
R4.1 Process to authorize based on need: 
= Electronic access; 
=  Unescorted physical access into a Physical Security Perimeter; and 
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No | Requirement Description 


= Access to designated storage locations, whether physical or electronic, for BES Cyber 
System Information 

R4.2 Verify at least once each calendar quarter that individuals with active electronic access or 
unescorted physical access have authorization records. 

R4.3 For electronic access, verify at least once every 15 calendar months that all user accounts, 
user account groups, or user role categories, and their specific, associated privileges are 
correct and are those that the Responsible Entity determines are necessary. 

R4.4 Verify at least once every 15 calendar months that access to the designated storage 
locations for BES Cyber System Information, whether physical or electronic, are correct 
and are those that the Responsible Entity determines are necessary for performing 
assigned work functions. 

R5 Access Revocation 
This requirement ensures that when an individual no longer requires access to a BES Cyber 
System to perform his or her assigned functions, that access should be revoked. 

R5.1 A process to initiate removal of an individual's ability for unescorted physical access and 
Interactive Remote Access upon a termination action and complete the removals within 24 
hours of the termination action. 

R5.2  Forreassignments or transfers, revoke the individual's authorized electronic access to 
individual accounts and authorized unescorted physical access that the Responsible Entity 
determines are not necessary 

R5.3  Fortermination actions, revoke the individual's access to the designated storage locations 
for BES Cyber System Information 

R5.4 For termination actions, revoke the individual's non-shared user accounts 

R5.5  Fortermination actions, change passwords for shared account(s) known to the user within 
30 calendar days of the termination action. 


In the definition of the SDN-microSENSE Cybersecurity Awareness and Training Model the first three 
requirements have been considered: 


e R1. Security Awareness Program 
e R2. Cyber Security Training Program 
е R3. Personnel Risk Assessment Program 


R4 and R5 requirements address the procedure to grant and revoke access permissions to company 
personnel or external parties which are not considered in our model. 


2.2.3 NISTIR 7628 Guidelines for Smart Grid Cybersecurity. Awareness and Training 

The US Smart Grid Interoperability Panel (SIGP) Cybersecurity Working Group published the “NISTIR 
7628, Guidelines for Smart Grid Cybersecurity", in 2010 [8] evaluating the security problems of the 
Smart Grid. Its content proposes guidelines for selecting and modifying cybersecurity requirements, 
with the aim of guaranteeing the interoperability of the solutions implemented in the system. 
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The document, in its 3 chapter provides a detailed description of 19 security recommended 
requirements including 7 requirements for Smart Grid Awareness and Training (SG.AT) which address 
the following objective: 


“Smart grid information system security awareness is a critical part of smart grid information system 
incident prevention. Implementing a smart grid information system security program may change the 
way personnel access computer programs and applications, so organizations need to design effective 
training programs based on individuals’ roles and responsibilities” [8]. 


Smart Grid Awareness and Training requirements are listed in Table 4. 


Table 4. NISTIR 7628 SG.AT — Awareness and Training 


Requirement Description 


SG.AT1 Awareness and Training Policy and Procedures. 

e The organization develops, implements, reviews, and updates on ап 
organization-defined frequency- a documented awareness and training security 
policy. 

e Management commitment ensures compliance with the organization's security 
policy and other regulatory requirements; 

e The organization ensures that the awareness and training security policy and 
procedures comply with applicable federal, state, local, tribal, and territorial laws 
and regulations 

SG.AT2 Security Awareness. 
The organization provides basic security awareness briefings to all Smart Grid 
information 
system users (including employees, contractors, and third parties) on an organization- 
defined frequency 

SG.AT3 Security Training 
The organization provides security-related training 

e Before authorizing access to the Smart Grid information system or performing 
assigned duties; 

e When required by Smart Grid information system changes; and 

e Onan organization-defined frequency thereafter. 

SG.AT4 Security Awareness and Training Records 
The organization maintains a record of awareness and training for each user in 
accordance with the provisions of the organization’s training and records retention 
policy 

SG.AT5 Contact with Security Groups and Associations 
The organization establishes and maintains contact with security groups and 
associations to stay up to date with the latest recommended security practices, 
techniques, and technologies and to share current security-related information 
including threats, vulnerabilities, and incidents 

SG.AT6 Security Responsibility Testing 
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Requirement Description 


e The organization tests the knowledge of personnel on security policies and 
procedures based on their roles and responsibilities to ensure that they 
understand their responsibilities in securing the Smart Grid information system; 

e The organization maintains a list of security responsibilities for roles that are 
used to test each user in accordance with the provisions of the organization 
training policy; and 

e The security responsibility testing needs to be conducted on an organization- 
defined frequency and as warranted by technology/procedural changes. 

SG.AT7 Planning Process Training 
The organization includes training in the organization’s planning process on the 
implementation of the Smart Grid information system security plans for employees, 
contractors, and third parties 


2.3 Components of the Cybersecurity Awareness and Training Model and Evaluation 
Figure 6 shows the components of the SDN-microSENSE Cybersecurity Awareness and Training Model 
and Evaluation): 


1. An EPES User Roles catalogue. This catalogue contains the description of sixteen User Roles 
that exist in the Energy Companies like system and power plant operator, substation engineer, 
OT manager, installer, or security administrator. For each role, the catalogue contains the role 
description, location, assets that are managed, operated or maintained and common threats 
associated to the assets. 

2. A Cybersecurity Maturity Model. Three maturity levels that define the degree in which the 
awareness and training processes have been deployed in the company. 

3. A Cybersecurity Capacity Framework. Included in the User Role catalogue, containing a 
complete set of knowledge, skills and abilities to be acquired by the company personnel to 
face potential cybersecurity problems. 

4. An EXCEL Evaluation Tool to assess the degree of maturity achieved by the company. It 
provides different check lists to validate whether process have been deployed or not and 
provides statistics and graphs showing the company's level of maturity. 
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EPES User Role Catalogue Cybersecurity Capability Evaluation Tool 
(knowledge, skills, abilities) Maturity Model 


Figure 6. Components of the Cybersecurity Awareness and Training Model and Evaluation 


2.4 Target audience 

The target audience of the Cybersecurity Awareness and Training Model and Evaluation are the EPES 
stakeholders. The initial list of stakeholders provided in deliverable D2.2 [6] of the project has been 
augmented with other roles that were identified by the project partners in the “User & Stakeholder, 
Security and Privacy Requirements Questionnaires” elaborated during the task T2.2 of the project. A 
description of the EPES stakeholders and user roles is provided in Section 3.1. 


2.5 User Role Catalogue 

The user Role Catalogue is a document that contains information about the different activities roles 
that exists in the company. This catalogue is an important input for the Cybersecurity Awareness and 
Training Model as will help the company to adapt the training processes to the specific cybersecurity 
requirements of each activity. The information that includes the User Role Catalogue for each role is 
the following: 


Role name 

Role description 

Activity of the company (see D2.2) 

Assets that are managed, controlled or used by the people in the role (see Section 3.3). 
Threats & Vulnerabilities to which assets may be affected (see Section 3.4). 

Cybersecurity knowledge that is necessary for the performance of your activity (see Section 
5.2). 

7. Skills and Abilities that must be acquired (see Section 5.2). 


ov grs womb 
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Table 5 shows the template that has been used to gather the user role information. A complete 
description of the sixteen user roles defined in the SDN-microSENSE project is provided in Annex |. 


Role Description 
Stakeholders 


Table 5. Role Activity Description table 


Location 
Category [Assets S 
а Asset data 
Information т 
Operational 
Managed Databases 
software Applications 


Oriented to the staff 


Used services - 
Oriented to the network 


Clients 

Media devices 
Used hardware = 

Displays 

Human interaction 
Infrastructure Facilities 


Unintentional damage 
Damage/Loss (IT Assets) 
Failures/ Malfunction 
Eavesdropping / Interception 
Nefarious Activity / Abuse 


Cybersecurity Knowledge 
Knowledge 


Communication Networks 
Cybersecurity 

Information and Comm Tech 
Information Management 
Laws and Regulations 
Organisational 

Technology Trend 


Communication Networks 
Cybersecurity 

Information and Comm Tech 
Information Management 
Laws and Regulations 
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Organisational 


Communication Networks 
Cybersecurity 

Information and Comm Tech 
Information Management 
Laws and Regulations 
Organisational 


2.6 Integration with the SDN-microSENSE Risk Assessment Framework 

As it is shown in Table 5 the User Role Catalogue includes information about the assets, threats and 
vulnerabilities of the different roles in a company. The best way to obtain this information is through 
the execution of a Risk Assessment Process. 


An EPES Risk Assessment Methodology has been defined in deliverable D3.1 of SDN-microSENSE. It is 
a risk assessment framework designed to address the various cascading effects that are associated 
with security incidents occurring in the whole energy chain. The methodology is composed of 7 steps 
(numbered from О to 6) as can be seen in Figure 7: 


e Step 0: Scope of the Energy Chain Risk Assessment (ECRA) 
e Step 1: Analysis of the EPES 

e Step 2: EPES cyber threat analysis 

e Step 3: Vulnerability Analysis 

e Step 4: Impact Analysis 

e Step 5: Risk Assessment 

е Step 6: Risk mitigation: Selection of security controls 
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Report Assessment Analysis 


Figure 7. Energy Chain Risk Assessment basic steps 


A company can use the results of several steps of the methodology to obtain the information needed 
to include in the User Role Catalogue. For example, the result of step 1: Analysis of the EPES, will 
provide the information about which assets are critical in each user role, and steps 2 y 3 threat and 
vulnerability analysis will generate the input of the Threat and Vulnerability sections in the User Role 
Catalogue. This integration of the Risk Assessment Methodology and the Cybersecurity Awareness and 
Training Model can be seen in Figure 8. 


Finally, the results of the Risk Analysis can provide, by its own, relevant information to be transmitted 
to the company personnel during the awareness and training process. Finally, as explained also in 
Deliverable 3.1, the results of the personnel evaluation can be used for the calculation of the overall 
Risk Assessment results. 
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Figure 8. Integration of the Risk Assessment Process with the Cybersecurity Awareness and 
Training Model 
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3 Activity Roles in an Energy Company 


3.1 EPES Stakeholders and Roles 

Section 2.3 of Deliverable 2.2 [6] identifies the EPES stakeholders, personnel User Roles in EPES 
organizations and External EPES actors. This initial list has been augmented with other roles that were 
also identified by the project partners in the "User & Stakeholder, Security and Privacy Requirements 
Questionnaires" elaborated during the task T2.2 of the project. The result is a list of sixteen different 
user roles that are shown in Figure 9. 


(4) SDN-usense 


Figure 9. List of Activity Roles 
More specifically: 


e Executive Manager: responsible for defining, executing, supervising and updating the 
operational plan of the organisation including cybersecurity. 

e Security Administrator: responsible for installing, managing and troubleshooting the 
organisation's security mechanisms. The security administrator undertakes to ensure the 
proper operation of the organisation in terms of the security aspect and is also in charge of 
assuring the readiness and awareness level of all the personnel. 
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e Power Plant Operators: Power plant operators monitor, control, and configure the power 
plant operation. They use control boards (SCADA?) to distribute power from generators among 
loads and regulate the output of several generators. These systems are the main targets of 
attack by hackers, since they would allow them to modify and interrupt the physical process 
of power generation. Special attention should be paid to take any action that allows an 
intruder to install anything on computers that are connected to this system and to identify any 
suspicious activity that may mean a threat for the system. 

e System Operator/Engineer: Engineers/system operators manage the power grid from a set of 
computer consoles within a control centre. This way, the reliable delivery of electricity to 
consumers, businesses and industry is ensured. System operators interact with the field staff, 
general personnel, substation personnel and other system operators within their own utility 
and/or other utilities. From the cybersecurity point of view his/her responsibilities are similar 
as in the case of the Power Plant Operators: to avoid taking any action that allows an intruder 
to install anything in any computer connected to the SCADA and identify any suspicious action 
or abnormal behaviour of the grid. 

e Operational Technology Manager/Communication Administrator: An operational technology 
manager/communication administrator is responsible for monitoring and controlling the 
operational characteristics of the industrial equipment and the maintenance of the 
communication channels. This role also involves performing risk assessment regularly in line 
with the information policies, standards and guidelines. 

e Substation Engineer: Substation engineers create the design plans of the transmission and 
distribution substations. Substation engineer should consider cybersecurity aspects during the 
design phase, probably in collaboration of the OT Manager/Communication Administrator. 

e Substation Operator: Substation operators monitor and control the operation of transmission 
or distribution substations. From the cybersecurity point of view their responsibilities are 
similar at the ones of the Power Plan Operators. 

e Installer (Technical Staff): Installer oversees the installation and maintenance of the electrical 
and electronic devices. Installer should guarantee the security of the whole system, after any 
installation and maintenance process. He/she should be able to detect any situation that could 
indicate that there has been an intrusion into the system. 

e Facility Operator in a Power Plant: Facility operators operate the electrical equipment of the 
power plant. Like substation operator but in a power plant. 

e Field Engineer: Field engineers maintain and protect the physical infrastructure of the power 
plant. Similar that Substation engineer. 

e Energy Trader. Energy traders trade of energy between cooperating parties and cooperate 
with the System Operator to achieve the desired status. This role could be done by the system 
operator in a TSO. 

® AMI and Demand Side Manager. AMI managers gather real-time meter readings and 
managing load control switching mechanisms. 

e Prosumer: Prosumers generate, store and consume renewable energy in its environment. 

e Building Energy Manager: Providing energy-related services to end-users. 


5 SCADA. Supervisory Control And Data Acquisition. 
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e Developers: They develop and provide hardware and software components and solutions. 
e IT User: people from administrative departments supporting the operational roles. 


Table 6 shows the different activity roles identified in the different energy companies. 


Table 6. User Roles in an EPES company 


Stakeholder 
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User Role Role description 


Defining, executing, 


Executive supervising and updating the vA v ЕИ v IE 
Manager operational plan of the 

organisation 
Send Installing, managing and 


troubleshooting the У У v у у vv 


organisation's security 
Monitoring, controlling and 


Administrator 


Power Plant 


Operator configuring the power plant "A vá 
ү operation 

Facili | 

аи Operating the electrical 

de Plant) equipment of the power plant 


Maintaining and protecting 


Field Engineer - 
Е the infrastructure 


System Managing the power grid from 

Operator / a set of computer consoles 

Engineer within a control centre 
Trading of energy between 
cooperating parties. 

Energy Trader Cooperating with the System 
Operator to achieve the 
desired status 

AMI and Gathering real-time meter 

Demand Side readings and managing load 

Manager control switching mechanisms 

Operational 


Tech Manager / 
Communication 
Administrator 


Substation 
Engineer 


Monitoring and controlling the 
operational characteristics of 
the industrial equipment 


v у 


Creating the design plans of 
the transmission or 
distribution substations 
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Stakeholder 


User Role Role description 
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Energy Services 
Manufacturer 


Monitoring and controlling the 


mae operation of transmission or v v 
distribution substations 
Installing and maintaining of 
Installer the electrical and electronic Y у v у "A vv 
devices 
Generating, storing and 
Prosumer consuming renewable energy у 
іп its environment 
Building Energy Providing energy-related и 
Мапавег services to end-users 
Developing and providing 
Developer hardware and software "A 
components and solutions 
IT User ш the operational vA и A | / и Е 


3.2 Matching User Roles with Smart Grid Architecture Model (SGAM) 

The Smart Grid Architecture Model (SGAM)? is a reference model to analyse and visualize smart grid 
use cases in respect to interoperability, domains and zones. As it is shown in Figure 10, SGAM consists 
of five consistent layers representing business objectives and processes, functions, information 
models, communication protocols and components. These five layers represent an abstract version of 
the interoperability categories introduced in the Reference Architecture working group report. A brief 
description of the each SGAM layer is provided in Table 7. 


The intention of this model is to allow the presentation of the current state of implementations in the 
electrical grid, but furthermore to present the evolution to future smart grid scenarios by supporting 
the principles universality, localization, consistency, flexibility and interoperability [9]. 


$ The Smart Grid Architecture Model (SGAM) was created in the M/490 mandate of the European Commission 
(EC) to the European standardization bodies CEN (Comité Européen de Normalisation), CENELEC (European 
Committee for Electrotechnical Standardization), and ETSI (European Telecommunications Standards Institute) 
with the focus on finding existing technical standards applicable to Smart Grids as well as identifying gaps in 
state-of-the-art and standardization. 
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Figure 10. SGAM Framework. 


Table 7. SGAM Layers 


Business Represents business cases which describe and justify a perceived business 
need 

Function Represents use cases including logical functions or services independent from 
physical implementations 

Information Represents information objects or data models required to fulfil functions and 
to be exchanged by communication 

Communication Represents protocols and mechanisms for the exchange of information 
between components 

Component Represents physical components which host functions, information and 


communication means 


SGAM Domains and Zones 


Each layer covers the smart grid plane, shown in Figure 11, is spanned by SGAM domains and zones. 
Zones represent the hierarchical levels of power system management: Process, Field, Station, 
Operation, Enterprise and Market. Domains cover the complete electrical energy conversion chain: 
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Bulk Generation, Transmission, Distribution, DER and Customers Premises [9]. Table 8 provides a brief 
description of SGAM domains, while SGAM zones are described in Table 9. 


Information 
Management 


Power System 
Equipment & Energy 
Conversion 


25% Market 


(um 


Generation > Oc. А” 
Transmission ж Seon 


Distribution 


DER Process 


Customer 


Domains Premise 


Figure 11. Smart Grid Plane. Domains and hierarchical zones 


Table 8. SGAM Domains 


[Domains — Description ЛЛ 
Bulk Generation Representing generation of electrical energy in bulk quantities, such as by fossil, 
nuclear and hydro power plants, off-shore wind farms, large scale photovoltaic 
(PV) power- typically connected to the transmission system 


Transmission Representing the infrastructure and organization which transports electricity 
over long distances 

Distribution Representing the infrastructure and organization which distributes electricity 
to customers 

DER Representing distributed electrical resources, directly connected to the public 


distribution grid, applying small-scale power generation technologies (typically 
in the range of 3 kW to 10.000 kW). These distributed electrical resources can 
be directly controlled by DSO 
Customer Hosting of both end users and producers of electricity. The premises include 
Premises industrial, commercial and home facilities (e.g. chemical plants, airports, 
harbours, shopping centres, homes). Electricity generation in form of 
photovoltaic generation, EV storage, batteries or micro turbines is also hosted. 


Table 9. SGAM Zones 


[Zone Description IOSEEEEN 
Process Including both - primary equipment of the power system (e.g. generators, 
transformers, circuit breakers, overhead lines, cables, electrical loads) - as well 
as physical energy conversion (e.g., electricity, solar, heat, water, wind). 
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Field Including equipment to protect, control and monitor the process of the power 
system, e.g. protection relays, bay controller, any kind of intelligent electronic 
devices which acquire and use process data from the power system. 

Station Representing the aggregation level for fields, e.g. for data concentration or 
substation automation. 

Operation Hosting power system control operation in the respective domain, e.g. 
distribution management systems (DMS), energy management systems (EMS) 
in generation and transmission systems, microgrid management systems, 
virtual power plant management systems (aggregating several DER), electric 
vehicle (EV) fleet charging management systems. 

Enterprise Includes commercial and organizational processes, services and infrastructures 
for enterprises, e.g. asset management, staff training, customer relation 
management, billing and procurement. 

Market Reflecting the market operations possible along the energy conversion chain 


(e.g., energy trading, mass market, retail market). 


Finally, Table 10 shows the matching of the EPES user roles defined in this document in the zones and 
domains of the SGAM model. 


Table 10.Matching User Roles with Smart Grid Architecture Model (SGAM) 


Public document 


. Executive . | Executive 
Executive Manager Executive Executive Manager Market 
Manager Manager Manager 
Energy Trader Prosumer 
Security Security Security Security 
Administrator | Administrator | Administrator | Administrator Prosumer Enterprise 
IT User IT User IT User IT User 
Power Plant System a во 
y Operator RES Operator | Demand Side | Operation 
Operator Operator 
AMI and DSM Manager 
Substation Substation Buildin 
Field Engineer : | | : : | Field Engineer UE 
Engineer Engineer Energy Stati 
Facilit : . Facilit ation 
iud Substation Substation ү Manager 
Operator Operator 
Operator Operator Prosumer 
OT Manager OT Manager OT Manager OT Manager OT Manager Field 
ie 
Installer Installer Installer Installer Installer 
Installer Installer Installer Installer Installer Process 
: T Mosis Customer 
Generation Transmission Distribution DER : 
Premise 
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3.3 Smart Grid Assets 

According the Risk Assessment Framework, defined in Deliverable 3.1, a decomposition of the cyber 
assets of the infrastructure managed by the company has to be done in step 1 of the Risk Assessment 
Methodology. 


An asset is defined in Deliverable 3.1 as "anything that is considered to be of value. Generally, an asset 
may be any physical or virtual entity that needs to be protected. An asset could be the personnel 
(employees or customers), material, information (e.g. databases or critical data), or intangibles 
(reputation or intellectual property)" [7]. In the context of SDN-microSENSE project, assets come from 
the Smart Grid field (e.g. ICS/SCADA), SDN field and the legacy ICT field. 


In the context of the Cybersecurity Awareness and Training Model, assets' analysis is also important to 
adapt the awareness and training process to the specific user roles defined in the company. Depending 
on the type of assets (information, hardware devices, communication network components, physical 
infrastructures, etc.) different knowledge and skills could be required to manage and protect them, 
and the training process can be adapted to specific asset vulnerabilities. 


ENISA’, the European Union Agency for Cybersecurity, has elaborated a report entitled, “Smart Grid 
Threat Landscape and Good Practice Guide" [3]. This report provides an exhaustive classification of 
assets that exist in the Smart Grid, threats to which they are exposed and good practices of the smart 
grid security measures. In the following subsections we have associated these assets and threats 
classification with the information provided by project partners during the elaboration of Deliverable 
2.2 about user roles that exists in the company, relevant equipment/technologies (e.g. RTUs, PLC, 
Smart Meters, SCADAs, etc.) used by each user role, type of network (HAN, NAN, WAN, etc.) and their 
cybersecurity-awareness level. Figure 12, taken from the ENISA's report, shows the assets' 
classification. This classification to identify the assets that are managed controlled or used in each user 
roles has been used. 


Table 11 provides a classification of the smart grid assets defined in ENISA's report to the user roles 
identified in the previous section. 


7 ENISA: https://www.enisa.europa.eu/ 
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Figure 12. Smart grid assets. Source ENISA? 
8 ENISA: https://www.enisa.europa.eu/ 
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Table 11. Association between Company roles and Smart Grid Assets 


Asset Type Description Category 


Power Plant Operator 
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Executive Manager 
Security Administrator 
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Asset Type Description Category 
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ISI 


Microgrid Controllers М 


End devices, local 
and neighbourhood 
network access 
Spare Mater point, External я я я я 
displays, home 
automation 
components, AMI 
A main issue head end 
talking about 
hardware is 
the supply 
chain 


Servers Hardware servers М мМ М 


РС, Notebook, 

Tablet, mobile- 

pups o Mrs вака cals | en eat npn an eden aen DT su Ie ende | D fea 
smart appliances 

(e.g., thermostats, 

pumps, heaters). 

Switch, router, 

bridge, repeater, 

modem, gateway, М М М М М 
Firewall, WLAN 

access point. 


Clients 


Network 
Components 


© SDN microSENSE consortium Page | 40 
Public document 


e SDN-pSense 
D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


Asset Type Description Category 


AMI and Demand Side 


Security Administrator 
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System Operator / 
Substation Engineer 
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3.4 Smart Grid Threats 

Following with the Risk Assessment Methodology of Deliverable 3.1 [7], the next step is the EPES cyber 
threat analysis. In this step "individual cyber threats against the EPES cyber assets are identified based 
on Energy Chain participants expertise and knowledge, with usage of existing repositories of cyber 
threats". This information should be also considered in the Cybersecurity Awareness and Training 
Model to adapt the training process and the training contents to the specific threats that can be 
associated to each user role. 


A detailed analysis of the threats for EPES has been provided in Deliverable 3.2. Although the 
"RESTRICTED" classification of Deliverable 3.2 does not allow information disclosure related to Smart 
Grid Threats, the threat classification that appears in the ENISA's report, Smart Grid Threat Landscape 
and Good Practice Guide is utilized" [3], and that is shown in Figure 13: 


e Physical Attack: bomb, sabotage, vandalism, theft, fraud, unauthorized physical access, etc. 

e Unintentional data damage: erroneous use of information and administration of devices, 
unintentional alteration of data, inadequate design, etc. 

e Natural Disasters: fire, flood, pollution, thunder stroke, environmental events, etc. 

e Outages: internet outage, loss of support, strike, Energy outage, lack of resources, etc. 

e Damage and/or loss of IT Assets: destruction of records, damage by third party, loss of 
information, etc. 

e  Failures/ Malfunction: failure or malfunction of devices, disruption of communications or 
services, etc. 

e Eavesdropping, interception of information, hijacking, man in the middle, replay of messages, 
repudiation of actions, etc. 

e Nefarious Activity, abuse, denial of service, malicious code activity, falsification of records, 
manipulation of hardware/software, unauthorised installation/use of software, unauthorised 
access to systems, etc. 

e Legal: unauthorised use of copyright, violation of law, etc. 


© SDN microSENSE consortium Page | 43 
Public document 


SDN-pu Sense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 
^ 
Natural disaster Natural Bomb attack, threat 
Environmental disaster Disaster Sabotage 
Fire Vandalism 
Deliberate 
Flood physical Theft (device, media) 
Polution, dust, corrosion attacks Information leakage, sharing 
Thunder stroke Unauthorised physical access 
Unfavourable climatic conditions 
Fraud 
jor environmental events 
Erroneous information 
sharing, lekag 
HORAE ue or adminisration 
| Damage, Loss ces, systems 
Damage by third party of IT assets Usage of information 
Damage, corruption from testing from unreliable source 
Integrity loss of information Unintentional alteration of data 
Loss of devices, media, documents Unintentional b re 
Destruction of records, devices, media data damage : 
Information leakage 
Failures of devices and services 
Failure, disruption of 
Internet outage communication links 
Network ошар Failure, disruption of main 
А sypply functions 
Loss of support services Failures, с=т r 
ure, disruption о! 
suike Outages Майда service providers 
Shortage of personnel Malfunction of devices, 
Energy outage Systems 
Lack of resources 
Identity theft 
War driving 
Unsolicited e-mail 
Intercepting, 
Denial of service Eavesdropping, ompromizing emissions 
Malicious code, activity Interception, Interception of information 
Social Engineering М Hijacking Interferring radiation 
A Nefarious Man inthe middle, 
Abuse of Information Leakage Activity, Abuse session hijacking 
Generation and use of rogue certificates Rasudlition of actions 
Manipulation of HW and SW Network 


Manipulation of information 
Misuse of audit tools 
Falsification of records 

Misuse of information, information systems 
Unauthorised use of administration 
Unauthorised access to systems 
Unauthorised software installation 
Unauthorised use of software 
Compromising confidential information 

Abuse of authorizations 
Hoax 

Badware 

Remore activity (execution 

Targeted attacks 


Legal 


Figure 13. Smart grid threats. Source ENISA? 


? ENISA: https://www.enisa.europa.eu/ 
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It should be noted that as the focus of the deliverable is the evaluation of personnel and process, the 
purpose of this section is not to provide an analysis of the threats per se, but highlight the actors, 
personnel and user roles which can be associated with those threats. For this reason, Table 12 
associates threats to Threat Agents and also to Smart Grid Assets. 
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Table 12. Association between threats, threat agents and Smart Grid Assets 


Ф 
Threat Group Threat Threat Agents 5 л E а 
= 2 E: Ez 
© © > = 
Е Е t a 
5 D 2 
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iz т Е Ф 
Bomb attack Terrorist М М М М 
Fraud Employees М М М М 
Sabotage All М М М М 
е Employees 
Vandalism à Ux М М М М 
Physical Attack Terrorists, Rioter 
Theft All WW м HM МІ 
Information leakage All М М М М 
Unauthorised physical access All М М М М 
Coercion, extortion or corruption All М 
Information leakage / sharing due to user error Employees 
Unintentional Erroneous use or administration of devices and systems Employees 
damage Using information from an unreliable source Employees 
(accidental) Unintentional change of data in an information system Employees 
Inadequate design or lack of adaptation Employees 
Fire Natural Disaster M М М М 
Disaster (natural Flood Natural Disaster М М М М 
environmental) Pollution, dust, corrosion Natural Disaster М М М М 
Thunder strake Natural Disaster M М М М 
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Threat Group Threat Agents 
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$ а 
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at Ф 
Water Natural Disaster М М М М 
Unfavourable climatic conditions Natural Disaster М М М М 
Major events in the environment Natural Disaster М М М М 
Damage caused by a third party Third Party 
Damages resulting from a penetration testing Third Party 
Damage/Loss Loss of (integrity of) sensitive information All 
(IT Assets) Loss of device, storage media and documents All 
Destruction of records, devices or storage media All 
Information leakage All 
Failure of devices or systems N/A M М 
Failure or disruption of communication links N/A М 
Failures/ Failure or disruption of main supply N/A М 
Malfunction Failure or disruption of service providers N/A М М М М 
Malfunction of equipment N/A М М М 
Insecure Interfaces N/A М М М 
Lack of resources N/A М М М M М Ы 
Lack of electricity N/A М М М М [ral 
Outages Absence of personnel N/A М 
Strike N/A М 
Loss of support services N/A М М М М М 
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Threat Group 
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Internet outage N/A li 
Network outage N/A М 
War driving М 
Intercepting compromising emissions All М 
Interception of information All М 
Р , e Corporations, 
Eavesdropping / Interfering radiation Terrorists М 
Interception / ТРЕТ 
Hijacking Replay of messages р, М 
Employees 
Network reconnaissance and Information gathering All M М 
Man іп the Middle / Session hijacking All М М 
Repudiation of actions All М М М 
Identify theft All 
"nm Е Cybercriminals, 
Unsolicited e-mail y ne 
Hacktivists 
Nefarious Activity / , А Cybercriminals 
Denial of Service ту ; 
Abuse Hacktivists 
Malicious code / software / activity All М 
: , е Cybercriminals 
Social engineerin mH d М 
E B Hacktivists 
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Threat Group Threat Agents 
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Abuse of information leakage All 
Generation and use of rogue certificates All 
Manipulation of hardware and software All 
Manipulation of information 
Misuse of audit tools All 
Falsification of records 
Misuse of information All 
Unauthorized use of administration of devices and 
All 
systems 
Unauthorized access to the information system 
sm All 
network 
Unauthorized changes of records Cybercriminals 
Unauthorized installation of software All 
Unauthorized use of software All 
Compromising confidential information (data breaches) All 
Abuse of authorisations All 
Abuse of person data 
F ran r 
М alse rumou a d/o м я я я 
fake warning 
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._ Ф 
е с 
: E 
$ 5 
= T 
i 
ЕЕ Spyware or deceptive 
adware 
Remote activity (execution) All 
Corporations 
Targeted attacks p SUEDE 
Cybercriminals 
Corporations, 
Violation of laws or regulations / Breach of legislation Employees, 
Cybercriminals 
Legal Failure to meet contractual requirements Employees М 


Corporations, 
Unauthorized use of copyrighted material Employees, 
Cybercriminals 
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4 Cybersecurity Maturity Model 

In the article "Selecting, Using, and creating Maturity Models: a tool for assurance and consulting 
engagements", J. Rose provides the following definition of a Maturity Model: “Maturity models 
establish a systematic basis of measurement for describing the “as is” state of a process. A process’s 
maturity can then be compared to management's expectations or contrasted with the maturity of other 
similar processes for benchmarking purposes. Insights also can be derived from the model for 
determining improvement options that help a process to satisfy its intended objectives over time", 


One of the components of the SDN-microSENSE Cybersecurity Awareness and Training Model is the 
Cybersecurity Maturity Model, in the context of the SDN-microSENSE, the Cybersecurity Maturity 
Model is defined as a set of processes and practices that have to be defined and deployed in a company 
to improve the competency level of its personnel in cybersecurity aspects. 


SDN-microSENSE Cybersecurity Maturity Model is based on the People CMM [5]. Elaborated by the 
Software Engineering Institute’? this model guides organizations in improving their processes for 
managing and developing their workforce. The People CMM's primary objective is to improve the 
capability of the workforce, defined as the level of knowledge, skills, and process abilities available for 
performing an organization's business activities. 


Tecnalia is an official partner of CMMI Institute12 and has an extensive experience related to the CMMI 
models implementation in industry. Tecnalia has an expert team with proven experience in methods, 
processes and tools definition, in order to support compliance with these reference models. This is the 
reason why the use of the People CMM model has been decided as an appropriate reference model 
for the SDN-microSENSE Capability Maturity Model development. 


4.1 People CMMI 

The People CMM consists of five maturity levels (Initial, Managed, Defined, Predictable and 
Optimizing) that establish successive foundations for continuously improving individual competencies, 
developing effective teams, motivating improved performance, and shaping the workforce an 
organization needs to accomplish its business plans. Each maturity level of the People CMM, except 
for the Initial Level, consists of three to seven process areas. Process areas identify the capabilities that 
must be defined and deployed to achieve a maturity level. They describe the practices that an 
organization should implement to improve its workforce capability. Figure 14 shows the maturity levels 
and process areas of each level defined in the People CMM. 


10 J. Rose, "Selecting, Using, and creating Maturity Models: a tool for assurance and consulting engagements", 
2017. Available: http://bit.ly/2wyuWPV. 

1 Software Engineering Institute. https://www.sei.cmu.edu/ 

12 https://cmmiinstitute.com/ 
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^. Continuous Workforce Innovation Optimizing 
Organizational Performance Alignment 


Continuous Capability Improvement 


Mentorin 2 

A Organe ord Capability Management РгеаісїаЫе 
Quantitative Performance Management 
Competency-Based Assets 

Empowered Workgroups 

Competency Integration 


Participatory Culture 
Workgroup Development 
Competency-Based Practices 
Career Development 
Competency Development 
Workforce Planning 
Competency Analysis Managed 


Compensation 

Training and Development 
Performance Manageme 
Work Environment 


Communication and 
Coordination 


Staffing Initial 


Figure 14. People CMM maturity levels. 


Each process area is described through a set of goals, commitments, abilities, practices, measurements 
and verification. This model provides a good starting point for the definition of a specific cybersecurity 
maturity model for an energy company. 


4.2 SDN-microSENSE Cybersecurity Capability Maturity Model 

Cybersecurity training cannot be done in an improvised way, when the company or society has suffered 
some type of cyber-attack, nor can it be left to the employees themselves. It is necessary to establish 
a set of procedures that define what skills and knowledge each person should have in the company, 
depending on their work activity, and how to acquire those skills and knowledge. 


The objective of the Cybersecurity Capability Maturity Model is to define best practices in order to 
improve the capability of an organisation in terms of cybersecurity knowledge, skills, and abilities 
available for performing cybersecurity activities. It helps organisation in the energy sector to define 
and implement the necessary processes to train its staff in cybersecurity. 


The model includes the following components: 


e Maturity levels. They represent different levels of organizational capability for managing and 
developing the training, skills, and competences processes to generate a cybersecurity culture 
inside an energy company. 

e Processes. Each maturity level, with the exception of the Initial Level, consists of four 
processes, which identify the capabilities that must be defined and deployed in the company 
to achieve a maturity level. 


© SDN microSENSE consortium Page | 52 
Public document 


eJ SDN-puSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


е Practices. Processes include a set of practices that are needed for achieving the process goal. 

e Tips. Advices or evidence examples that can help the company to define and deploy a specific 
practice. They can be seen also as evidence example to verify that the practice is being carried 
out. 


Figure 15 shows the different components of the Maturity Model and the relationship among them. 


Cybersecurity Capability Maturity Model in the Energy Sector 


Level 1 Level 2 Level 3 


Process 1 age Process п Process 1 m Process n 


Figure 15. Components of the SDN-microSENSE Cybersecurity Capability Maturity Model 


4.3 Maturity Levels 

The first component of the model is the maturity levels. They represent different levels of 
organizational capability for managing and developing the training, skills and competences processes 
to generate a cybersecurity culture inside an energy company. 


SDN-microSENSE Cybersecurity Capability Maturity Model considers 3 maturity levels: 


e Initial level, where processes, although can exist in the organisation, are not defined or not 
homogenously defined and deployed. All companies are in this initial level by default. 

e People Managed level, where processes oriented to the personnel cybersecurity training 
management are defined and deployed. 

e Competency managed, where processes oriented to the cybersecurity competences 
management are defined and deployed. 


Figure 16 shows the maturity levels of the SDN-microSENSE CCMM. 
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SDN-microSENSE Cybersecurity Capability Maturity Model 


People are trained and qualified according 
Competency to their roles in the company and according 
Мапареа to the threats they or the equipment and 

systems they handle may suffer. 


People Managers take responsibility for 
managing and developing the awareness 
Гг” Managed and training of the workforce. 


Awareness and training practices are 
Initial applied inconsistently and in 
reactive manner 


Figure 16. Maturity levels of the SDN-microSENSE Cybersecurity capability maturity Model 


Table 13 analyse the way the following aspects are considered in each maturity level: 


e The formalisation of the training and awareness processes. 

e Communication and coordination practices. 

e Тһе work environment. 

e The incorporation of cybersecurity competences as part of personnel competency. 


Table 13. Maturity Levels 


Topics / Disciplines People Managed Competency 
Managed 
Training and Not formalized at Formalised but not Individualised to each 
awareness processes organisational level individualised. user role. 
Personnel are not Cybersecurity Organization adapts 
sufficiently aware of awareness is its training practices 
the precautions they promoted based on based on lessons 
should take. general information learned and risk 
and best practices. assessment. 
Communication and There are not Mechanisms to report Participatory culture 
Coordination processes to transmit апа share risks and 
and share information incidents are 
about detected established. 
cybersecurity risk and 
incidents 
© SDN microSENSE consortium Page | 54 


Public document 


eJ SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 


Topics / Disciplines 


Does not have 
cybersecurity working 
conditions 


Work Environment 


Cybersecurity 
Competences 


Has not been identify. 


People Managed 


Companies deploy 
basic cybersecurity 
working conditions to 
allow individuals to 
perform their 
cybersecurity tasks 
efficiently, and to 
avoid unintentional 
incidents. 

At this level 
Companies also 
deploy cybersecurity 
basic measurements. 
Are part of the 
personnel 
competences in each 
role and are 
considered in the 
staffing processes 
(recruiting, 
compensating) 


Figure 17 shows the processes defined in each maturity level. 


SDN-microSENSE Cybersecurity Capability Maturity Model 


Competency EE 
Managed 


Figure 17. Process defined in each maturity level. 


* Training and Development 

* Communication & Coordination 
* Work Environment 

* Staffing 


Competency 


Managed 


Companies deploy 
consistent working 
conditions to allow 
individuals to perform 
their cybersecurity 
tasks efficiently based 
on planned process 
Specific 
measurements are 
adopted based ona 
risk assessment 
process. 


Based ona 
competency analysis 
of each user role. 


* Cybersecurity Competency Analysis 
Cybersecurity Competency Development 
* Participatory Culture 

* Workforce Planning 
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4.3.1 


Initial Level 


Organizations at the Initial Level present the following situation: 


Cybersecurity training practices are not formalized at organisational level, and awareness is 
managed in an ad hoc and sometimes reactive manner, for example after a cyberattack in the 
company or in the society. 

There is limited concern about cybersecurity risk and personnel are not sufficiently aware of 
the precautions they should take, for example, when opening emails, connecting external 
devices to the laptop, executing field maintenance operation, etc. 

There are not processes to transmit and share information about detected cybersecurity risk 
and incidents, and this information are not shared with other entities. 

Organisation has not identified cybersecurity capabilities (knowledge, skills and abilities) in 
each workplace. 

In general, processes could be executed but without formalism and sometimes chaotically. 
Good results in terms of cybersecurity management depend on additional efforts made by the 
most capable people. 

Exceptional results in terms of cybersecurity activities execution can be achieved, as long as 
the best people are assigned to these tasks. 


At this level there are not defined and managed process. 


4.3.2 People Managed Level 
Organizations at the People Managed Level present the following situation: 


There is an awareness of cybersecurity risks and activities at the organizational level. 

Training and awareness policies, processes and procedures related to cybersecurity practices 
are defined and implemented 

Staff has adequate resources to perform their cybersecurity duties. 

Cybersecurity information is shared within the organization on a formal basis. 

The organization knows its role in the larger ecosystem but has not formalized its capabilities 
to interact and share information externally. 

Responsibilities and authorities related to cybersecurity activities execution are assigned 
depending on needs in terms of cybersecurity. 

Previous successes related to cybersecurity risk management and practices are repeatable in 
the future 

Discipline helps to maintain cybersecurity practices in times of stress 

Managers have visibility of cybersecurity activities and results. 


Frequent problems that keep people from performing effectively in low-maturity organizations include 
work overload, environmental distractions, unclear performance objectives or feedback, lack of 
relevant knowledge or skill, poor communication, and roles and responsibilities not defined. 


Special attention is put on managers. The first step toward improving cybersecurity competencies of 
the personnel is to get managers to take workforce activities regarding cybersecurity issues as high- 
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priority responsibilities of their job. It is difficult to implement organization wide practices if managers 
are not performing the basic workforce practices required to manage their units. 


The practices implemented at People Managed Level focus a manager's attention on unit-level issues 
such as staffing, coordinating commitments, providing resources, managing performance, developing 
skills, and making compensation decisions related to cybersecurity issues. 


4.3.3 Competency Managed Level 
Organizations at the Competency Managed Level presents the following situation: 


e Through a process of continuous improvement incorporating advanced cybersecurity 
technologies and practices, the organization actively adapts to a changing cybersecurity 
landscape and responds to evolving and sophisticated threats in a timely manner 

e  Thereisanorganization-wide approach to managing cybersecurity risk that uses risk-informed 
policies, processes, and procedures to address potential cybersecurity events. 

e Cybersecurity risk management is part of the organizational culture and evolves from an 
awareness of previous activities, information shared by other sources, and continuous 
awareness of activities on their systems and networks 

* The organization manages risk and actively shares information with partners to ensure that 
accurate, current information is being distributed and consumed to improve cybersecurity 
before a cybersecurity event occurs 

e The primary objective of the Competency Managed Level is to help an organization gain a 
competitive advantage by developing the various competencies that must be combined in its 
workforce to accomplish its business activities. 

e Each workforce competency represents a distinct integration of the knowledge, skills, and 
process abilities required to perform some of the business activities that contribute to an 
organization's core competency. 

e The members of the organization's workforce who share the knowledge, skills, and process 
abilities of a particular workforce competency constitute a competency community. 


4.4 People Managed Processes 

A process identifies the capabilities that must be defined and deployed in the company to achieve a 
maturity level. In the People Managed Level, the organization establishes a cybersecurity culture 
focused at the user role level for ensuring that people know the main cybersecurity functions 
associated to their role in the company and that adopt the required cybersecurity measurements. 


In achieving People Managed Level, the organization develops the capability to manage cybersecurity 
skills and performance at the user role level. 


The processes in the People Managed Level are: 


1. Training and development. 
2. Staffing. 
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3. Work environment. 
4. Communication and coordination. 


4.4.1 Training and Development 

Table 14 provides the description of the Training and Development process of level 2. The information 
containing in the table has been elaborated starting from the Training and Development Process Area 
defined in People CMM”. The information has been adapted to the Cybersecurity Context of the SDN- 
microSENSE project. 


Table 14. Process description: Training and Development 


rmm Training and Development 


The purpose of Training and Development is to ensure that all individuals have the knowledge and 
skills required to perform their assignments and activities related to cybersecurity. The primary 
focus of Training and Development is on removing the gap between the current skills of each 
individual and the skills required to perform their assignments related to cybersecurity activities. 


Roles involved in the process deployment: Members of the human resources function or Unit 
Managers or a group leader. 


Objective 1 Individuals receive timely training that is needed to perform their work. 


Identify cybersecurity knowledge and skills required for performing each 
individual’s assigned tasks. 


Practice 1 TIP: 
e Maintain records of knowledge and skills required. 
Identify the training needed in critical cybersecurity skills for each individual. 
TIP: 

Practice 2 e The term “Critical Cybersecurity Skills" refers to: 


1. Execute specific cybersecurity procedures 

2. Use equipment effectively 
Each unit develops and maintains a plan for satisfying its training needs. 
TIP: 
e The unit’s training plan typically specifies: 

1. Training needed by each individual or workgroup to perform their 

Practice 3 assigned responsibilities. 
2. Training to be provided to individuals or workgroups to support their 
development interests. 
3. The schedule for when training is to be provided. 
4. Howthis training is to be provided 


13 https://resources.sei.cmu.edu/library/asset-view.cfm?assetid-5329 
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Individuals or groups receive timely training needed to perform their assigned 
tasks. 
TIP: 
e Examples of training alternatives include the following: 
Practice 4 1. Classroom training 
2. Distance learning 
3. Mentoring 
4. Apprenticeships 
5. Self-paced learning courses 
Practice 5 Training is tracked against the unit's training plan. 
A development discussion is held periodically with each individual. 
TIP: 
e Information about knowledge and skills can come from the following: 
1. Evidence from current performance 
Practice 6 2. Changing requirements of the current assignment 
3. Anticipated future assignments 
4. Individual desire to know more in an area relevant to the organization 
5. Recommendations from others 
6. Individual desire for reassignment or advancement 
Relevant development opportunities are made available to support individuals 
in accomplishing their individual development objectives. 
TIP: 
e Examples of development opportunities include the following: 
Practice 7 1. Courses 
2. Degree or certification programs 
3. Mentors or coaches 
4. Special temporary assignments 
5. Position or role assignments 
АСЕЕВ Individuals pursue development activities that support their individual 


development objectives. 

Practice 9 Managers review the training activities status and results. 
Measurements are made and used to determine the status and performance of 
Training and Development activities 


TIP: 
Examples of measurements include the following: 
Practice 10 
e Amount of training provided 
e Rate of training against stated training needs 
e Timeliness of training 
e Cost of training, Quality of training as rated in student evaluations. 
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4.4.2 Staffing 

Table 15 provides the description of the Staffing Process of level 2. The information containing in the 
table has been elaborated starting from the Staffing Process Area defined in People СММ“. The 
information has been adapted to the Cybersecurity Context of the SDN-microSENSE project. 


Process Area 


The purpose of Staffing is to establish a formal process by which committed work regarding 
cybersecurity needs is matched to unit resources and qualified individuals are recruited, selected, 
and transitioned into assignments. 


Table 15. Process description: Staffing 


Roles involved in the process deployment: Members of the human resources function or Resource 
managers and Unit manager 


Individuals or workgroups in each unit are involved in making commitments 


Objective 1 5) 8 . 
) that balance the unit's workload with approved staffing. 

Objective 2 Candidates are recruited for open positions. 

Objective 3 Staffing decisions and work assignments are based on an assessment of work 
qualifications and other valid criteria. 

Objective 4 Individuals are transitioned into and out of positions in an orderly way. 
Each unit analyses its work to determine the cybersecurity skills required. 
TIPs: 

: e Aunit's work is analysed to determine the types of tasks that requires 
Practice 1 y ур ч 


cybersecurity measurements and effort required to perform them. 

е The types of skills (cybersecurity skills) needed to perform proposed work 
are identified. 

Individuals and workgroups participate in making commitments for 

cybersecurity measurements they have to adopt and perform. 

TIPS: 

e Individuals are involved in reviewing the cybersecurity measurements to be 
adopted in their work 

е Individuals or workgroups are involved in estimating the resources, effort, 

Practice 2 and schedule required to deploy cybersecurity measurements to accomplish 
the work that they have been allocated. 

e Individuals or workgroups establish commitments they will be held 
accountable for meeting. 

e Individuals or workgroups are involved in reviewing progress against 
commitments and, when necessary, making changes to the commitments 
regarding their work. 

Each unit documents cybersecurity commitments that balance its workload 


Practice 3 А Е : 
with available staff and other required resources. 


V https://resources.sei.cmu.edu/library/asset-view.cfm?assetid-5329 
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Practice 4 


Practice 5 


Practice 6 


Practice 7 


Practice 8 


Practice 9 


Practice 10 


Practice 11 


Practice 12 


Practice 13 


Practice 14 


Practice 15 
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Individual cybersecurity assignments are managed to balance committed 

cybersecurity measurements among individuals and units or groups. 

Position openings regarding cybersecurity needs within a unit are analysed, 

documented, and approved. 

Position openings regarding cybersecurity needs within the organization are 

widely communicated. 

Units with open positions regarding cybersecurity needs recruit for qualified 

individuals. 

External recruiting activities regarding cybersecurity needs by the organization 
are planned and coordinated with unit requirements. 

A selection process and appropriate selection criteria are defined for each open 

position regarding cybersecurity needs. 

TIP: 

* Selection criteria are defined from: the tasks, job characteristics, and work 
conditions of the open position; characteristics of candidates who are 
capable of performing the work responsibilities of the open position, other 
skill needs of the unit or organization, and other staffing objectives of the 
organization 

e Examples of activities for evaluating candidates include the following: 
Individual interviews; Group interviews; Formal structured interviews; 
Presentations; Sample tasks 

Each unit, in conjunction with its human resources function, conducts a 
selection process for each position regarding cybersecurity needs it intends to 
fill. 

Positions regarding cybersecurity needs are offered to the candidate whose 
skills and other qualifications best fit the open position. 

The organization acts in a timely manner to attract the selected candidate. 

TIP: 

Examples of the terms of the offer that can be negotiated include the following: 

Job level and title, Salary and benefits, Probationary period, Relocation, 

Training 

The selected candidate is transitioned into the new position. 

TIP: 

Examples of transition activities include the following: Preparing an office and 
required equipment, selecting an orientation mentor, Meeting existing 
members of the unit, Orientation to the job, Orientation to the organization, 
etc. 

Representative members of a unit participate in its staffing activities. 

TIP: 

e Examples of staffing activities in which members of the unit can participate 
include the following: Identifying characteristics of qualified candidates, 
Recruiting, referring potential candidates, screening potential candidates, 
Evaluating qualified candidates. 

Workforce reduction and other outplacement activities regarding cybersecurity 

needs, when required, are conducted according to the organization's policies 
and procedures. 

TIP: 
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Examples of reasons for outplacement include the following: Loss of budget or 
work, Shifts in skill needs, Changes in location of facilities 
Discharges for unsatisfactory performance regarding cybersecurity issues or 
other valid reasons are conducted according to the organization's policies and 
ү procedures. 
Practice 16 TIP: 
Examples of reasons for discharge could include the following: Unsatisfactory 
performance, Misconduct 
. Causes of voluntary resignation from the organization are identified and 
Practice 17 
addressed. 
Practice 18 Managers review the staffing activities status and results. 
Measurements are made and used to determine the status and performance 
of Staffing activities: 
TIP: 
Examples of measurements include the following: 
e Number of open positions identified 
Practice 19 e Number of qualified candidates contacted through each recruiting 


source 

е Percent of qualified candidates contacted directly by staff rather than 
through other sources 

e Percentage of selected candidates accepting offers 

e Cost per hire 


4.4.3 Work Environment 

Table 16 provides the description of the Working Environment Process of level 2. The information 
containing in the table has been elaborated starting from the Work Environment Process Area defined 
in People CMM”. The information has been adapted to the Cybersecurity Context of the SDN- 
microSENSE project. 


Table 16. Process description: Work Environment 


rmm Work Environment 


The purpose of Work Environment is to establish and maintain physical working conditions and to 
provide resources that allow individuals and workgroups to perform the detection of intrusions 
efficiently and also to avoid unintentionally security incidents caused by the personnel. 


This process focuses on both the resources provided for performing work (e.g., firewalls, access 
contro| systems, secured communication protocols, intrusion detection tools, information 
protection), and the physical conditions in which the work is performed (e.g., physical access control 
to installations). 


The work environment must be managed to ensure it supports the tasks required to assure the 
security measurements that avoid any kind of security incidents. This process focuses on both the 


15 https://resources.sei.cmu.edu/library/asset-view.cfm ?assetid=5329 
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resources provided for supporting the personnel in the security tasks, and the physical conditions 
under which these tasks are performed. Management must balance expenditures on resources 
and environment with justifications based on the work being performed. 

Management should have also plans for mitigating the potential problems judged to present 
serious risks to health, safety, or efficiency. 


Roles involved in the process deployment: Physical plant or facilities staff, Telecommunications 
staff, Computing facilities staff, etc. 


Objectives 
Obiective 1 To provide the physical environment and resources needed by the personnel to 
J detect cyber incidents and avoid unintentionally security incidents 
To create an appropriate environment to minimise the distractions in the work, 
Objective 2 this will allow to have less security incidents and unintentionally security 


incidents 


The physical environment and resources required to detect potential cyber- 
security incidents are identified for each role. 
TIP: 

e Depending on the role of the employee this physical environment 
should be changed. The resources to be considered are different if the 
role works in a control room or a substation or an office. 

e These resources could include the following: Individual, group and 


Practice 1 ; ; Е 
meeting space, telecommuting support, support for remote locations, 
special characteristics of physical workspaces, communication 
equipment, computer and software tools. 

e Preparing budget requests for the needed physical environment or 
other resources 

e Coordinating actions needed to implement the improvements 
consulting with appropriate subject matter experts 

The physical environment required to detect the cyber security incidents is 

provided according to the identification done in practice 1. 

An adequate space should be provided, this means to design the space for 

supporting the efficient performance of the detection of cyber incident and the 
| security tasks derived. If the most adequate physical space is not able to be 

Practice 2 : OPERE : : 

provided, some mitigation actions should be implemented. 
TIP: 

e Some characteristics to consider in order to provide secure physical 
space: Control access, video protection, visibility, noise, voice 
communication and so on. 

An adequate personal environment for detecting cybersecurity incidents and 
for avoiding unintentionally security incidents is provided. 
А ТІР: 

Practice 3 : Я 

e This personal environment should assure: 
= Protected private space where personal effects, work tools, and 

products can be secured and stored as necessary 
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Practice 4 


Practice 5 


Practice 6 


Practice 7 


Practice 8 


Practice 9 
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" Adequate desktop space for using tools and other resources in 
performing tasks. 
= Enough isolation and noise protection to support the level of 
concentration needed to perform individual work. 
" Enough space to perform work activities alone or with a limited 
number of colleagues, as appropriate. 
The specialized resources that would normally be available for performing the 
detection of cybersecurity incidents are made available and adequate support 
is provided. 
TIPS: 

e In order to detect cybersecurity incidents in the organisation a 
specialised resource could be an intrusion detection system that informs 
that a potential intrusion could be occurred 

e Other resource that could help is to set up security mechanism set to 
detect, deflect, or, in some manner, counteract attempts at 
unauthorized use of the systems 

Improvements are made to the work environment that improve the detection 
of cybersecurity events. 
TIP: 

е Тһе efficiency of this work environment when detecting security events 
is analysed to identify potential changes or resources that could 
improve the performance. 

e It is important to prioritise the improvements. This prisonisation should 
consider different aspects: impact, budget, laws and regulations and so 
on 

Physical factors that degrade the effectiveness of the work environment are 
identified and addressed. 
TIP: 

e Analyse all the factors that can affect to the environment set up to 
detect cybersecurity incidents. These factors could be from different 
nature from the excessive noise to the malfunction of the control 
access mechanism both digital and physical ones. 

Sources of frequent interruption or distraction that can generate 
unintentionally security incidents are identified and minimized. 
TIP: 

e Some factors that can generate distractions are: Telephone calls, 
excessive meetings, poorly organized work processes, unnecessary or 
excessive administrative tasks, work that could be performed by other, 
more appropriate, individuals... 

Managers review the work environment activities status and results. 
Measurements are made and used to determine the status and performance 
of Work Environment activities 

TIP: 

Examples of measurements include the following: 

e Number of complaints or concerns raised about the work environment 

e Number of violations of work environment laws or regulations 

e Effectiveness of improvements on performance 
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e Investment in work environment improvements 


4.4.4 Communication and Coordination 

Table 17 provides the description of the Communication and Coordination Process of level 2. The 
information containing in the table has been elaborated starting from the Communication and 
Coordination Process Area defined in People СММ?. The information has been adapted to the 
Cybersecurity Context of the SDN-microSENSE project. 


Table 17. Process description: Communication and Coordination 


Process Area Communication and Coordination 


The purpose of Communication and Coordination is to establish timely communication throughout 
the organization and to ensure that the personnel has the skills to share cybersecurity information 
(risks, security breaches and cyber incidents) and that this information are efficiently coordinated. 
Roles involved in the process deployment: Physical plant or facilities staff, Telecommunications 
staff, Computing facilities staff, etc. 


Objective 1 Cybersecurity Information is shared across the organization. 

Individuals or groups are able to raise cybersecurity concerns and have them 
addressed by management. 

Individuals and workgroups coordinate their activities to detect cybersecurity 
risks, reduce vulnerabilities and respond to incidents. 


Objective 2 


Objective 3 


The workforce-related policies and practices of the organization are 
communicated to the workforce. 
TIPS: 
Individuals and units are informed of policies and practices that affect them: 
e Security policy of the company 
e Individual and unit responsibilities, 

Practice 1 e Procedures for notifying any security risk, bad practice or breach. 
Whenever people-related policies and practices are changed, the changes are 
communicated to the workforce. 

Possible ways to perform this communication: 
1.- General Meetings. 
2.- Periodical reminders in the unit meetings. 
3.- Use of posters 
Information about cybersecurity values, events, and conditions is 
communicated to the workforce on a periodic and event-driven basis. 
TIPS: 
Examples of information that is to be communicated: 
1. Organizational mission, vision, and strategic objectives 
2. Business ethics 


Practice 2 
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3. Security plans and objectives 
4. Security performance 
5. Changes in cybersecurity organizational structure or processes (Security 
Admin for example) 
6. Notable cybersecurity events, risk, activities, infrastructure, etc. 
Communication mechanisms: 
1.- Organization-wide meetings 
2.- Staff meetings 
3.- One-on-one meetings 
4.- Bulletin boards 
5.- Electronic mail announcements 
6.- Internal publications 
7.- Newsletters 
8.- Memos 
Information required for performing committed work in a secure way is shared 
across affected units in a timely manner. 
TIPS: 
: Information about: 
Practice 3 Я 
1. New detected threats and vulnerabilities. 
2. Theresults of risk assessments processes. 
3. New tools and process deployed in the company to increase 
cybersecurity. 
Individuals’ opinions on their security working conditions are sought ona 
periodic and event-driven basis. Inputs are analysed and the results, decisions, 
and actions are communicated. To ensure confidentiality, results are presented 
so that individuals or groups cannot be identified 
as the source of information unless they have given their permission to be 
identified 
Practice 4 1E 
The company has established the following procedures: 
1. Immediate notification of any aspect that may suppose a cybersecurity 
risk. 
2. Group meetings 
3. Cybersecurity incident review. 
4. Email or other electronic means 
5. Suggestion boxes or other private means 
Individuals or groups can raise concerns related to cybersecurity issues 
according to a documented procedure. 
У ТІР: 
Practice 5 + : 
Тһе company has set ир mechanisms or procedures to allow people to raise 
concerns related with cybersecurity. 
1.- A tool for collecting concerns and complaints. 
Activities related to the resolution of a cybersecurity problems are tracked to 
' closure. 
Practice 6 TIP: 
1. Responsibilities are assigned for tracking the status of concerns. 
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2. The status of all open concerns is periodically reviewed by 
management. 
3. When appropriate progress has not been made in resolving a concern, 
corrective action is taken. 
Individuals and workgroups monitor and coordinate the dependencies involved 
in their committed work. 
TIP: 
Where the work is interdependent, individuals and workgroups should ensure 
1 they mutually agree to their commitments in order to coordinate their 
Practice 7 e 
activities. 
1. Identify dependencies. 
2. Create dependencies. 
3. Coordinate dependent work. 
4. Document dependencies. 
Practice 8 Meetings are conducted to make the most effective use of participants' time. 
Practice 9 Managers review the Communication and Coordination activities status and 
results. 
Practice 10 Measurements are made and used to determine the status and performance 
of Communication and Coordination activities 
TIP: 


Examples of measurements include the following 
e Results from opinion surveys 
e Number of conflicts handled through formal mechanisms 
e Number of concerns raised 


4.5 Competency Managed Processes 

In the Competency Managed level the organization identifies and develops the knowledge, skills, and 
process abilities that constitute the workforce competencies required to perform its business activities 
with the maximum level of cybersecurity. The organization develops a cybersecurity culture of 
professionalism based on well-understood workforce competencies. In this level the organization 
develops the capability to manage its workforce as a strategic asset. 


The processes in the Competency Managed level are: 


Cybersecurity Competency Analysis 
Cybersecurity Competency Development 
Workforce Planning 

Participatory Culture. 


PUNE 


4.5.1 Cybersecurity Competency Analysis 
Table 18 provides the description of the Cybersecurity Competency Analysis Process of level 3. The 
information containing in the table has been elaborated starting from the Competency Analysis 
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Process Area defined in People CMM". The information has been adapted to the Cybersecurity 
Context of the SDN-microSENSE project. 


Table 18. Process description: Cybersecurity Competency Analysis. 


Cybersecurity Competency Analysis 


The purpose of Competency Analysis is to: 


1. Identify the cybersecurity knowledge, skills, and process abilities required to perform the 
organization’s business activities in the in the most security possible way. 

2. Maintain descriptions (the organisation should maintain) of the cybersecurity knowledge, 
skills, and process abilities that comprise each workforce competency. 

3. Set up an organizational repository where these descriptions are maintained and available. 

4. Assess these descriptions periodically to ensure they remain current with the organization’s 
technologies and business activities. 

5. Define, and update as necessary, the work processes used by capable individuals in each 
workforce competency. 


Roles involved in the process deployment: Member of Human resources, Managers o Engineering 
groups focused in cybersecurity, etc. 


Objectives 


The cybersecurity competencies required to perform a business activity are 


ИИ 

Objective defined and updated. 

Gps The cybersecurity measures used within each workforce competency are 
defined and maintained. 

Objective 3 The organization tracks cybersecurity capability in each of its user roles 


competencies. 


The cybersecurity competencies required to perform the organization’s 
business activities are identified and analysed to identify the knowledge, skills, 
and process abilities that compose them 
TIP: 
For each role 
1. Cybersecurity knowledge, skills, and process abilities required to 
Practice 1 perform committed work are defined for each business activity. 

2. SDN-microSENSE Cybersecurity Competency Model can be used. 

3. Subject matter experts are involved in analysing the cybersecurity 
knowledge, skills, and process abilities required to perform their 
committed work. 

4. Adescription of the cybersecurity knowledge, skills, and process 
abilities is defined for each business activity 

Workforce competency descriptions are documented and maintained according 


Practice 2 
to a documented procedure. 
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TIP: 

1.- Cybersecurity competency descriptions are controlled and maintained under 
version control. 

Cybersecurity competency descriptions are updated on a periodic and event 
driven basis. 

TIP: 

1. Cybersecurity competencies are periodically reanalysed to determine if 
they continue to reflect the knowledge, skills, and process abilities 

Practice 3 necessary to perform the organization’s business activities. 

2. Changes in products, services, processes, or technology are analysed as 
necessary to determine whether affected cybersecurity competency 
descriptions need to be updated, new competencies need to be 
defined, or obsolete cybersecurity competencies need to be phased 
out. 

The competency-based cybersecurity processes to be performed by capable 

individuals in each workforce competency are established and maintained. 

TIP: 

1.- Competency-based cybersecurity processes are documented and made 

available for guiding those developing or performing a workforce competency. 
Practice 4 2.- Documented competency-based cybersecurity processes are updated on an 

event-driven basis to reflect 

e changes in business operations, products, or services, 

e changes in other processes or development technologies, 

e lessons learned from the performance of competency-based processes, 

e other process improvements. 

Current resource profiles for each of the organization’s workforce 
competencies are determined. 

A resource profile for a workforce competency represents the number of 
individuals at each level of capability within the workforce competency. An 
example of progressive levels of capability within a workforce competency may 
include a beginner, a novice, a journeyman, a senior practitioner, and a master 


or expert. 
е ТІР: 
Practice 5 : d Ss 

1. Competency information is aggregated at the organizational level for 
each of the organization's cybersecurity competencies. 

2. The organization uses aggregated competency information to develop a 
resource profile for each of the organization's cybersecurity 
competencies. 

3. Resource profiles are made available, as appropriate, for use in 
workforce planning, the analysis of workforce practices, and other 
workforce activities. 

Competency information is updated on a periodic and event-driven basis. 
Practice 6 ue 

1. Competency information for an individual (or other unit of analysis) 

may be updated as accomplishments, experience, or events justify. 
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2. Competency information for affected individuals should be updated as 
appropriate when workforce competency descriptions are modified, 
added, or phased out. 
T) Managers review the Cybersecurity Competency Analysis activities status and 
results. 
Measurements are made and used to determine the status and performance 
of Communication and Coordination activities: 
е ТІР: 
Practice 8 


Number of workforce competencies identified and analysed, number of actions 
identified to obtain the appropriate workforce competencies, effort spent in 
the cybersecurity competency activities, etc. 


A specific Competency Analysis is done in Section 5 as a Guidelines for EPES companies. 


4.5.2 Cybersecurity Competency Development 

Table 19 provides the description of the Cybersecurity Competency Development Process of level 3. 
The information containing in the table has been elaborated starting from the Competency 
Development Process Area defined in People CMM”. The information has been adapted to the 
Cybersecurity Context of the SDN-microSENSE project 


Table 19. Process description: Cybersecurity Competency Development. 


Cybersecurity Competency Development 


The purpose of Cybersecurity Competency Development is to enhance constantly the capability of 
the workforce to perform its assigned tasks and responsibilities. 

The cybersecurity competencies identified in Competency Analysis and the needs identified in 
Workforce Planning provide the foundations for the organization’s competency development 
program. 


Graduated training and development opportunities are designed to support development in each 
of the organization’s workforce competencies. 


Individuals pursue competency development opportunities that support their individual 
development objectives. 


The organization uses the experience of its workforce to develop additional capability in each of its 
workforce competencies through practices such as mentoring. Mechanisms are established to 
support communication among the members of a competency community. 


Roles involved in the process deployment: Member of Human resources, Managers or Engineering 
groups focused in cybersecurity, etc. 
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Objectives 


The organization provides opportunities for individuals to develop their 
cybersecurity capabilities in its workforce competencies. 


сое Individuals develop their knowledge, skills, and process abilities in the 
organization's workforce competencies. 
PA The organization uses the cybersecurity capabilities of its workforce as 
Objective 2 М Е 
resources for developing the workforce competencies of others. 
Cybersecurity competency development activities are based on the 
competency development plans within each workforce competency. 
TIP: 
e Cybersecurity Competency development activities are selected and 
Practice 1 based on a competency development plan. 

e Cybersecurity Competency development activities are prioritized to align 
with the organization's measurable objectives and the competency 
development plan. 

Graduated training and development activities are established and maintained 
for developing cybersecurity capability in each of the organization's workforce 
competencies. 

TIP: 

1. Graduated training and development activities are identified. Examples 
of competency development activities include the following: 
e Formal classroom training 
e Courses of study at educational institutions 
e Degree programs 
* Licensing or certification programs 
e Guided self-study 

Practice» ° чыш na Ch mentoring 
e )Just-in-time training 
e Workgroup (or team) training and development activities 
e Knowledge repositories and tools 
e Career development planning 

2. The organization establishes standards for the learning activities. 

3. Learning activities are periodically reviewed. 

4. Resources for delivering the training and development activities are 
identified and made available. 

5. The training and development program is updated as changes are made 
to profiles of the organization's workforce competencies. 

6. Training and development records are maintained at the organizational 
level 

Cybersecurity Competency-based training and development activities are 
identified for each individual to support their development objectives. 
Practice 3 TIP: 

1. Aresponsible individual(s) helps each individual identify cybersecurity 

competency-based training and development needs and ensures that 
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appropriate competency development activities are identified, planned, 
and performed. 

2. Aresponsible person counsels individual, as needed, about available 
training and development 

Individuals actively pursue learning opportunities to enhance their capabilities 
in cybersecurity competencies. 
TIP: 
Bre acad 1. Individuals are encouraged to take the initiative in pursuing 
cybersecurity competency development opportunities. 

2. Individuals ensure their cybersecurity competency information is 
updated when cybersecurity competency development activities are 
completed 

Capable individuals within a competency community are used to mentor those 
with less capability in the cybersecurity competency. 
TIP: 
1. Elaborate a list of people in the organisation that can be used as 
Бүтай mentors. 
аск: 2. Individuals willing to act as mentors are prepared to perform their 
responsibilities. 

3. Mentors and those being mentored establish arrangements for 
conducting their mentoring relationship. 

4. Mentors provide timely feedback and guidance to those they mentor. 

The organization supports communication among those comprising a 
cybersecurity competency community. 
The members of a workforce that share the common cybersecurity knowledge, 
skills, and process abilities of a particular business activity or role constitute a 
cybersecurity competency community. 
TIP: 
Examples of mechanisms for supporting communication within a cybersecurity 
competency community include the following: 
| e Periodic meetings 

Practice G e Informal discussions 

e Professional activities 

e Social gatherings 

e Peer group reviews, boards, and similar activities 

e Periodic newsletters or bulletins 

e Updated technical, process, or business documentation 

e Electronic bulletin boards, web pages, and other forms of computer- 
mediated communication and networking 

e Information repositories 

Managers review the Cybersecurity Competency Development activities status 
Practice 7 and results. 
Measurements are made and used to determine the status and performance 
Practice 8 of Cybersecurity Competency Development activities: 
TIP: 
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Amount of time spent in developing the knowledge, skills, and process abilities 
underlying the organization’s cybersecurity workforce competencies, Number 
of people and amount of effort involved in developing or delivering 
Cybersecurity Competency Development activities, Amount and types of 
communication within a competency community, etc. 


4.5.3 Workforce Planning 

Table 20 provides the description of the Workforce Planning Process of level 3. The information 
containing in the table has been elaborated starting from the Workforce Planning Process Area defined 
in People CMM”. The information has been adapted to the Cybersecurity Context of the SDN- 
microSENSE project. 


Table 20. Process description: Workforce Planning 


Process = Workforce Planning 


The purpose of Workforce Planning is to coordinate workforce activities with current and future 
cybersecurity needs at both the organizational and role levels. 

Through workforce planning, the organization identifies the workforce it needs for its current and 
future activities oriented to detect and stop the cybersecurity incidents and plans the actions to be 
taken to ensure the required workforce is available when needed. 


Roles involved in the process deployment: Member of Human resources or Managers. 
Objectives 


Establish measurable objectives for capability in each of the organization’s 
cybersecurity workforce competencies are defined. 

The organization plans for the workforce competencies needed to perform its 
current and future oriented to detect and stop the cybersecurity incidents 
Each role performs workforce activities to satisfy current and strategic 
Objective 3 competency 

needs. 


Objective 1 


Objective 2 


The current and strategic cybersecurity workforce needs of the organization are 
documented. 
TIP: 
e Inputs required to identify these needs are collected and documented. 
Some examples: 
o the number of people required to accomplish the role’s committed 
work compared to the number available, 
o the workforce competencies needed to conduct the cybersecurity 
activities constituting these commitments compared to the unit's 
current capability in these workforce competencies, 


Practice 1 
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o theunit's anticipated future commitments that have current staffing 
implications. 
Measurable objectives are established for developing the organization's 
capability in each of its selected workforce competencies. 
TIP: 
e Examples of measurable objectives: 
o Level of knowledge, skill, and process ability available in each of the 
à security workforce competencies 
Practice 2 


o Therate at which knowledge, skill, and process ability are acquired in 
each of the security workforce competencies 
o The deployment of the security workforce competencies across the 
organization 
o The rate at which new security workforce competencies can be 
developed and deployed across the organization 
A competency development plan for cybersecurity concepts and information on 
how to detect these attacks is produced and reviewed by all the involved 
people on a periodic and event-driven basis. A guideline about the 
competencies by role in an EPES is described in the annex 1. 
TIP: 
e Information to be added in this plan: 
o measurable objectives for developing capability in the workforce 
Practice 3 competency, 
o thenumber of people anticipated or required with the needed 
competency over the period covered by the plan, 
o how the number of people with the competency will be developed or 
staffed. 

e {15 important that the plan for the competency in cyber security is 
incorporated into the organization's strategic workforce plan and 
provide input to planned workforce activities by units. 

The organization establishes and maintains a strategic workforce plan to 
guide its workforce practices and activities related to detect potential 
cybersecurity. 

TIP: 

e These activities may include developing specialists within the 
competency, providing minimal training to all individuals to achieve a 
base-level competency (Example of this can be found on the annex 1), 

Practice 4 retraining individuals or groups whose competencies may become 
obsolete or oversupplied, providing cross-training for selected 
individuals, or training selected groups within units 

e Staffing activities to reallocate or recruit individuals necessary to meet 
the current and strategic workforce needs of the organization (see 
Staffing process). 

e Some compensation activities could be defined to motivate 
development or retention of needed competencies 

Roles plan workforce activities to satisfy competency needs to be able to detect 


Practice 5 cybersecurity attacks in an efficient way. The plans are reviewed on a periodic 
and 
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event-driven basis. 
TIP 
e For each role in the organisation performance objectives should be 
defined and documented: 
o developing the competencies needed to perform its security 
activities, 
o contributing to the security competency development objectives of 
the organization, and 
o performing planned activities that support these competence 
development objectives. 
e  |tisimportant that all the roles revise their plans for workforce 
activities according to documented procedures. 
Progress in meeting the objectives of the competency development plan for 
each of the cybersecurity competencies is tracked. 
TIP: 

Practice 6 e Individual or group is assigned responsibility for tracking performance 
against its competency development plan. If results deviate significantly 
from the competency development plan for a competency, corrective 
action is taken. 

Each role's performance in conducting its planned workforce activities is 
tracked. 
TIP 
e Each role periodically reviews its status in performing planned 
Practice 7 workforce activities. 


e The progress of each role in executing its planned workforce activities is 
periodically reviewed at the organizational level. 
e Corrective actions are taken when results deviate significantly from a 
role’s objectives in performing its planned workforce activities. 
Practice 8 Managers review the Workforce Planning activities status and results. 
Measurements are made and used to determine the status and performance 
of Workforce Planning activities: 
TIP: 
Examples of measurements include the following: 
e Time spent in organizational and role level workforce planning 
Number of people involved in Workforce Planning activities 
Effectiveness of meeting milestones in workforce planning 
Effectiveness of achieving the objectives of the strategic workforce plan 
Effectiveness in performing workforce activities at the organizational 
and role levels 


Practice 9 


4.5.4 Participatory Culture 
Table 21 provides the description of the Participatory Culture Process of level 3. The information 
containing in the table has been elaborated starting from the Participatory Culture Process Area 
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defined in People CMM”. The information has been adapted to the Cybersecurity Context of the SDN- 
microSENSE project. 


Table 21. Process description: Participatory Culture 


rmm Participatory Culture 


The purpose of a participatory Culture is to enable the workforce’s full capability for making 
decisions that affect the performance of business activities oriented to detect cybersecurity risks. 
A participatory culture about aspects related with security provides an environment in which 
competent professionals are fully able to exercise their capabilities focused on cybersecurity 
aspects. This participative environment ensures a flow of information when a security alarm is 
detected within the organization, incorporates the knowledge of individuals into decision-making 
processes, and gains their support for commitments. 

Establishing a participatory culture begins with providing individuals and workgroups with 
information about cyber security activities performance. Individuals and workgroups are provided 
access to the information needed to perform their committed work. 

Roles involved in the process deployment: Member of Human resources or Executive management. 


Objectives 


Information about cybersecurity activities and results is communicated 
throughout the organization. 
Decisions about the security aspects are delegated to an appropriate level of 
Objective 2 the organization and individual or workgroups participate in the decision- 
making processes 
Information about cybersecurity tasks performance is made available to 
individuals and workgroups 
TIP: 
e identify the relevant information related to the cybersecurity activities 
performance: objectives, performance data of the preventing activities, 
Practice 1 information regarding changes in the work environment, cost of the 
activities, budget for new security measures 
е  |tshould be detailed the level of information provided to each role and 
the frequency of this information 
e  |timportant to consider the information that should be treated as 
confidential 
Individuals and workgroups are made aware of how their work in the security 
aspects contributes to cybersecurity tasks performance 
TIP: 
e The information regarding the performance of the task as informed at 
all the levels: individual and workgroups 
e The information regarding the link between individual, workgroup, unit, 
and organizational performance in the detection of intrusion and other 
activities related with cybersecurity are explained. 


Objective 1 


Practice 2 
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Individuals and workgroups have access to information needed to perform 
their tasks regarding on the security aspects and to the systems that support 
the access to this information. 

TIP: 

e The information that should be provided is: Assigned tasks and 
responsibilities, standard processes, workgroup coordination, assigned 
or assumed roles and dependencies. Also, the mechanism on how this 

Practice 3 information is transferred and ensure the correct coordination with 
information sources to ensure timely access 

e The communication system should broaden and accelerate the flow of 
information needed to enhance the activities to detect the 
cybersecurity incident and the speed and accuracy of decisions 

e |і іѕ important to facilitate the participation of the all the people 
involved in decisions about improvements and upgrades to the 
information and communication technologies that are used. 

Decisions concerning security aspects made by those empowered to make 
them are supported by others in the organization. 
Practice 4 TIP: 

e Ensure that necessary coordination of decisions with relevant all the 
people involved occurs. 

Defined mechanisms are used for resolving conflicts and disputes referring to 
cybersecurity events 


TIP 
e Define the different types of conflicts that could appear: Scheduling 
Р difficulties, conflicts among commitments, budget or other financial 
Practice 5 : SEE 
issues, coordination problems 
e To resolve problems, issues, conflicts, or disputes take into account the 
knowledge and opinion of the individuals that their job is affected. 
e Communicate to all people involved the results of conflict and dispute 
resolution processes 
Practice 6 Managers review the Participatory Culture activities status and results. 
Practice 7 Measurements are made and used to determine the status and performance 
of Participatory Culture activities. 
TIP: 
Examples of measurements include the following: 
e Amount of business information communicated to the workforce 
e Number of conflict or dispute resolutions 
e Results from opinion feedback mechanisms. 
e Etc. 
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5 Cybersecurity Competency Model 

A competency model can be defined as a framework that defines a set of knowledge, skill and abilities 
required to perform a specific job in a company. Competency models are widely used in business for 
defining and assessing competencies within organizations and supporting personnel managers in 
certain processes like staffing, recruiting or promoting. 


In an energy company, the definition of the competency model is organised around the activity of the 
company, that is, energy generation, grid operation, energy services management, efficient 
consumption, etc. However, the increased digitization in the sector forces the workforce to acquire 
cybersecurity knowledge and skills. These competences will allow the people to avoid unconscious 
errors, reduce external threats, and be able to face adverse events (attacks and incidents) or system 
failures. Therefore, the competency model should include cybersecurity competences (knowledge, 
skills and abilities) required for each work role. 


In this section we focus on the specific cybersecurity knowledge, abilities and skill that will be required 
by the personnel in the energy sector. We will start with a revision of the existing competency models 
in the cybersecurity and ICT domain and continue with an analysis of which cybersecurity knowledge, 
skills and abilities are required in each user Roles defined in Section 3. 


5.1 Revision of existing Competency Models 


5.1.1 European e-Competency Framework (e-CF) 

The European e-Competence Framework (e-CF) version 3.021 "provides a reference of 40 competences 
as required and applied at the Information and Communication Technology (ICT) workplace, using a 
common language for competences, skills and capability levels that can be understood across Europe, 
and that it implements of the European Qualifications Framework (EQF)” [10]. 


The e-CF is structured over four dimensions. These dimensions reflect different levels of business and 
human resource planning requirements in addition to job/work proficiency guidelines. They are 
specified as follows: 


e Dimension 1: The e-CF has 5 e-Competence areas, derived from the ICT business pro-cesses 
PLAN — BUILD — RUN — ENABLE — MANAGE. 

e Dimension 2: A set of reference e-Competences for each area, with a generic description for 
each competence. 40 competences identified in total provide the European generic reference 
definitions of the framework. 

e Dimension 3: Proficiency levels of each e-Competence provide European reference level 
specifications on e-Competence levels e-1 to e-5, which are related to EQF levels 3-8. 

e Dimension 4: Samples of knowledge and skills relate to e-Competences in dimension 2. They 
are provided to add value and context and are not intended to be exhaustive. 


?! European qualifications framework (EQF). 
https://www.cedefop.europa.eu/es/events-and-projects/projects/european-qualifications-framework-eqf 
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Figure 18 shows the list of 40 e-Competences defined in e-CF. 


Dimension 1 Dimension 2 Dimension 3 
5 -CF areas 40 e-Competences identified p-C tence proficiency levels 
(A —E) tr 


А. PLAN АЛ. 15 and Business Strategy Alignment 
A.2. Service Level Management 


А.З. Business Plan Development 
AA. Product/Service Planning 


А.5. Architecture Design 
А5. Application Design 
A.7. Technology Trend Monitoring 
А 8. Sustainable Development 
A 9. Innovating 
B. BUILD 8.1. Application Development 
8.2. Component Integration 
B.3. Testing 
B.4. Solution Deployment 
8.5. Documentation Production 
B.6. Systems Engineering 
C. RUN C.1. User Support 
C.2. Change Support 
СЗ. Service Delivery 
СА. Problem Management 
D. ENABLE D.1. Information Security Strategy Development 
D.2. ICT Quality Strategy Development 
D.3. Educatlon and Training Provision 
D.4. Purchasing 
D.5. Sales Proposal Development 
D.6. Channel Management 
0.7. Sales Management 
D.8. Contract Management 
0.9. Personnel Development 
0.10. Information and Knowledge Management 
D.11. Needs Identification 
D.12. Digital Marketing 
E. MANAGE E.1. Forecast Development 


Figure 18. European e-Competency Framework (e-CF) 
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As far as security is concerned, e-CF lists two security related functions: 


D.1. Information Security Strategy Development. It defines and makes applicable a formal 
organisational strategy, scope and culture to maintain safety and security of information from 
external and internal threats, i.e. digital forensic for corporate investigations or intrusion 
investigation. 

E.8. Information Security Management. It implements information security policy. Monitors 
and takes action against intrusion, fraud and security breaches or leaks. Ensures that security 
risks are analysed and managed with respect to enterprise data and information. It reviews 
security incidents, makes recommendations for security policy and strategy to ensure 
continuous improvement of security provision. 


5.1.2 NIST NICE 

The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce has 
developed the NICE (National Initiative for Cybersecurity Education. The aim of the framework is to 
"energize and promote a robust network and an ecosystem of cybersecurity education, training, and 
workforce development" [11]. NICE Framework is organised in: 


Categories (7) — A high-level grouping of common cybersecurity functions. 

Specialty Areas (33) — Distinct areas of cybersecurity work. 

Work Roles (52) – The most detailed groupings cybersecurity work comprised of specific 
knowledge, skills, and abilities required to perform tasks in a work role. 


Figure 19 shows the work roles defined by NIST NICE. 


SECURELY 


NICE FRAMEWORK - nist Special Publication 800-181 i 


Cybersecurity Workforce Categories (7) MAINTAIN GOVERN 


OPERATE AND OVERSEE AND 


Specialty Areas (33) – Distinct areas of = Cybersecurity 


cybersecurity work 


Management 


Work Roles (52) — The most All Source | Executive Cyber 


detailed groupings of IT, PROTECT 
cybersecurity, or cyber-related 

work, which include specific 

Knowledge, Skills, and Abilities С̧ОЧЕСТАМО 


Leadership 


AND DEFEND 


OPERATE 


(KSA's) 
required to 
perform a set INVESTIGATE 
of Tasks. 
Cyber 
Investigation 
Digital 
Forensics 
Figure 19. NIST NICE Work Roles 
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For each work role a list of attributes required to perform that role in the form of knowledge, skills, 
and abilities (KSAs) and tasks performed in that role has been defined. The framework defines 1007 
tasks, 630 knowledges, 374 skills and 176 abilities. 


Figure 20 shows an example of the information provided by NIST NICE Framework for the Database 
Administrator Work Role. 


Work Role Description Responsible for setting up and maintaining a system or specific components 
of a system (e.g. for example, installing, configuring, and updating hardware 
and software; establishing and managing user accounts; overseeing or 
conducting backup and recovery tasks; implementing operational and 
technical security controls; and adhering to organizational security policies 
and procedures). 

T0029, T0054, T0063, T0136, T0144, T0186, T0207, T0418, T0431, T0435, 
T0458, T0461, T0498, T0501, T0507, T0514, T0515, T0531 

Knowledge K0001, K0002, K0003, K0004, K0005, K0006, K0049, K0050, K0053, 
K0064, K0077, K0088, K0100, K0103, K0104, K0117, K0130, K0158, 
K0167, K0179, K0260, K0261, K0262, K0274, K0280, K0289, K0318, 
K0332, K0346 


S0016, S0033, S0043, S0073, S0076, S0111, $0143, $0144, S0151, S0153, 
$0154, 50155, 50157, 50158 


А0025, А0027, А0034, А0055, А0062, А0074, А0088, А0123, А0124 


Figure 20. NIST NICE. System Administrator Work Role 


Although some Work Roles are be very specific of the cybersecurity activities in a company (e.g., cyber 
investigation, threat analysis, collection operations, digital forensic), NIST NICE Framework provides 
very useful information for the definition of cybersecurity competences that should be incorporated 
by the personnel in an energy company. 


We consider the NIST NICE Framework an important input for the elaboration of the SDN-microSENSE 
Cybersecurity Competency Model. However, there are many NICE roles that do not exist in energy 
companies and that cannot be easily matched against the roles defined in Section 3. Instead of 
matching NICE Work Roles we have decided to analyse NICE's knowledge, skills and abilities, classify 
them into set of Categories and Subcategories, and finally assign these categories and subcategories 
to our User Roles. The results of this work are presented in the following sections. 


5.2 Cybersecurity Knowledge, Skills and Abilities (KSA) 
NICE Framework defines knowledge, skills and abilities as “the attributes required to perform work 
roles and are generally demonstrated through relevant experience, education, or training" [11]. 


e Knowledge is a body of information applied directly to the performance of a function. 
e Skill is often defined as an observable competence to perform a learned psychomotor act. 
Skills in the psychomotor domain describe the ability to physically manipulate a tool or 
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instrument like a hand or a hammer. Skills needed for cybersecurity rely less on physical 

manipulation of tools and instruments and more on applying tools, frameworks, processes, 

and controls that have an impact on the cybersecurity posture of an organization or individual. 
e Ability is competence to perform an observable behaviour. 


Starting from the list of knowledge, skills and abilities defined by the NICE Framework, and with the 
help of the SDN-microSENSE partners, a selection of the more significant knowledge, skills and abilities 
for each User Role defined in Section 3 has been done. The process followed, shown in Figure 21, has 
been the following: 


Analysis of the NICE knowledge table and definition of a set of Categories and Subcategories. 
Classification of each KSA into one Category and Subcategory. 

Assignment of each Category and Subcategory to an SDN-microSENSE User Role. 

Filter those KSA with limited impact of company security. 


Dow mob 


SDN-microSENSE 
User Roles 


Category and 
ны 
etinition А 
SSIEN KSA to 
User Role 
5 


KSAs defined т 
SDN-microSENSE 


NICE KSA tables 


Figure 21. Selection of knowledge, skills and abilities for each User Role 


5.3 Knowledge 
This section provides the results of the analysis of cybersecurity knowledge required for each User 
Role: 


e Table 22 lists the knowledge categories and subcategories and provides some example about 
the knowledge in each subcategory. 
e Table 23 identifies which knowledge categories and subcategory are assigned to each user role 
and the level of knowledge required: 
o В = Basic knowledge 
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о М = Medium knowledge 
о А = Advanced knowledge. 
e Тһе final set of knowledge for each role is provided in Annex І. 


The following six knowledge are considered common to all roles by NICE Framework 


e  K0001. Knowledge of computer networking concepts and protocols, and network security 
methodologies. 

e  K0002. Knowledge of risk management processes (e.g., methods for assessing and mitigating 
risk). 

e  K0003. Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and 
privacy. 

e  K0004. Knowledge of cybersecurity and privacy principles. 

e  K0005. Knowledge of cyber threats and vulnerabilities. 

e  K0006. Knowledge of specific operational impacts of cybersecurity lapses. 


Table 22. Knowledge Categories and Subcategories 


Collection 


Collection Knowledge of collection management processes, capabilities, and 
Management limitations. 

Collection Process Knowledge of collection disciplines and capabilities. 

Collection Tools Knowledge of the available tools and applications associated with 


collection requirements and collection management. 
Communication Basic knowledge about networks and communications: 
Fundamentals e networking concepts and protocols. 
е telecommunications concepts. 
e basic computer components of a network, types of networks, etc. 
e Internet communications fundamentals. 


Communication Advanced knowledge about a communication technology: 
Technology e Bluetooth, RFID, IR, Wi-Fi, paging, cellular, satellite dishes, VoIP, 
etc. 


e structure, architecture, and design of modern wireless 
communications systems. 
e mobile cellular communications architecture. 
Network Knowledge of the basic structure, architecture, and design of modern 
Architectures communication networks: 
e physical and logical network devices and infrastructure to include 
hubs, switches, routers, firewalls, etc. 
e network architecture concepts including topology, protocols, and 
components. 
е how traffic flows across the network. 
demilitarized zones. 
е organization's Local and Wide Area Network connections. 


Network Knowledge on network management: 
Management e network traffic analysis methods. 
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e  packet-level analysis: Wireshark, tcpdump, etc. 
e network tools: ping, traceroute, nslookup, etc. 
e network administration 
Network Protocols Knowledge about industrial and TCP/IP protocols: 


e OSI model. 

e network protocols such as TCP/IP, Dynamic Host Configuration, 
Domain Name System (DNS), and directory services. 

e Internet and routing protocols. 

Network Security Knowledge of capabilities, applications, and potential vulnerabilities of 
network equipment including hubs, routers, switches, bridges, servers, 
transmission media, and related hardware. 

e Virtual Private Network (VPN) security. 
e network security implementations: host-based IDS, IPS, access 
control lists. 
е basics of network security: encryption, firewalls, authentication, 
honey pots, perimeter protection. 
ICT 

Database Knowledge of database management systems, query languages, table 

relationships, and views: 
e Database systems. 
e database access application programming interfaces. 
e database administration and maintenance. 

Hardware Knowledge about the design and development of hardware devices: 

e microprocessors. 
e circuit analysis. 
e computer architectures. 


IT Architectures Knowledge of information technology (IT) architectural concepts and 
frameworks. 
IT Systems Knowledge of IT system operation, maintenance, and security needed to 


keep equipment functioning properly. 
e server administration and systems engineering theories, concepts, 
and methods. 


e systems administration concepts. 
е systems diagnostic tools and fault identification techniques. 
e file system implementations. 
e middleware. 
е principles and methods for integrating system components. 
e Supervisory control and data acquisition (SCADA). 
Media Storage Knowledge of the characteristics of physical and virtual data storage 
Devices media: 


e access control devices, digital cameras, digital scanners, electronic 
organizers, hard drives, memory cards, modems, network 
components, networked appliances, networked home control 
devices, printers, removable storage devices, telephones, copiers, 
facsimile machines, etc. 

Operating Systems Knowledge of operating systems: 
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e server and client operating systems. 

e command-line tools: mkdir, mv, Is, passwd, grep, etc. 

e virtualization technologies and virtual machine development and 
maintenance. 

е system administration concepts for operating systems such as but 
not limited to Unix/Linux, IOS, Android, and Windows operating 
systems. 

e security concepts in operating systems. 

Programming Knowledge of computer programming principles: 

e programming concepts, including computer languages, 
programming, testing, debugging, and file types. 

e programming concepts: levels, structures, compiled vs. interpreted 
languages. 

e programming language structures and logic. 

e software debugging principles. 

e secure coding techniques. 

e Scripting. 

e embedded systems. 

Software Knowledge of software design tools, methods, and techniques: 
Development e software development models (e.g., Waterfall Model, Spiral 
Model). 

e software engineering. 

e software quality assurance process. 

e software reverse engineering techniques. 

е secure software deployment methodologies, tools, and practices. 

e configuration management techniques. 


System Engineering Knowledge of systems engineering theories, concepts, and methods. 
Web Applications Knowledge of how Internet applications work 
е SMTP email, web-based email, chat clients, VOIP, etc. 
e concepts related to websites: web servers/pages, hosting, DNS, 
registration, web languages such as HTML. 
e website types, administration, functions, and content 
management system (CMS). 
e web services: service-oriented architecture, Simple Object Access 
Protocol, and web service description language. 
Information management 
Asset Management Knowledge of sources, characteristics, and uses of the organization’s data 
assets: 
e asset availability, capabilities and limitations. 
e hardware asset management. 
e software asset management. 
e patching and software updates. 
Data Management Knowledge of data administration and data standardization policies: 
e complex data structures. 
e data classification standards. 
е enterprise-wide information management. 
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e information environment. 
Data Processing Knowledge of the capabilities and functionality associated with content 
creation and processing technologies: 
e wikis, social networking, content management systems, blogs. 
e taxonomy and semantic ontology theory. 
e how to utilize Hadoop, Java, Python, SQL, Hive, and Pig to explore 
data. 
e media production, communication, and dissemination techniques 
and methods. 
e methods, procedures, and techniques of gathering information 
and producing, reporting, and sharing information. 
e how to extract, analyze, and use metadata. 
Data Security Knowledge of critical information technology: 
e advanced data remediation security features in databases. 
e critical information requirements. 
e secure update mechanisms. 
Law and Regulations Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures: 
digital rights management. 
electronic evidence law. 
judicial process, including the presentation of facts and evidence. 
cyber laws and their effect on Cyber planning. 
privacy disclosure statements based on current laws. 


Organisational Procedures and Company Policies 


Customer and Knowledge of internal and external partner intelligence processes and the 

Partners development of information requirements and essential information. 

Deconfliction Knowledge of deconfliction processes and procedures. 

Human Resources Knowledge of organizational human resource policies, processes, and 
procedures. 

Intelligence Knowledge of intelligence disciplines. 

Learning Process Knowledge of training and education policies, processes, and procedures: 


e instructional design and evaluation models. 
learning assessment techniques. 
computer based training and e-learning services. 
Learning Management Systems and their use in managing learning 
modes of learning. 
training and education principles and methods for curriculum 
design. 
Maturity Models Knowledge of organizational process improvement concepts and process 
maturity models: 
e Capability Maturity Model Integration (CMMI). 
* measures or indicators of system performance and availability. 
Organisation Policy e organizational planning and staffing process. 
and Procedures e organization, roles and responsibilities. 
e organizational structure. 
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e internal and external customers and partner organizations, 
including information needs, objectives, structure, capabilities, etc. 
Security Policies Knowledge of organizational security policies: 
e cyber operation objectives, policies, and legalities. 
Security 
Access Control Knowledge of authentication, authorization, and access control methods: 
e  host/network access control mechanisms 
e network access, identity, and access management: public key 
infrastructure, Oauth, OpenID, SAML, SPML 
e developing and applying user credential management system 
e Unix and Windows systems that provide radius authentication and 
logging 
Cyber Attacks Knowledge of what constitutes a network attack and a network attack's 


relationship to both threats and vulnerabilities: 

e adversarial tactics, techniques, and procedures 

e hacking methodologies 

е social dynamics of computer attackers in a global context 

e different classes of attacks: passive, active, insider, close-in, 
distribution attacks 

e  cyber-attack stages: reconnaissance, scanning, enumeration, 
gaining access, escalation of privileges, maintaining access, 
network exploitation, covering tracks 

e common computer/network infections (virus, Trojan, etc.) and 
methods of infection (ports, attachments, etc.) 
denial and deception techniques. 

е structure, approach, and strategy of exploitation tools (e.g., 
sniffers, keyloggers) and techniques: gaining backdoor access, 
collecting/exfiltrating data, conducting vulnerability analysis of 
other systems in the network 

Cyber Defense Knowledge of cyber defense and information security policies, procedures, 
and regulations: 

e intrusion detection methodologies and techniques 

e system administration, network, and operating system hardening 
techniques. 

e security architecture concepts 

e application firewall concepts and functions 

e security models: Bell-LaPadula model, Biba integrity model, Clark- 
Wilson integrity model 

e software and methodologies for active defense and system 


hardening. 
Encryption Knowledge of cryptography and cryptographic key management concepts: 
encryption algorithms and methodologies 
Ethical Hacking Knowledge of ethical hacking principles and techniques: 


e hacking methodologies 
e penetration testing principles, tools, and technique 
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e cyber competitions as a way of developing skills by providing 
hands-on experience in simulated, real-world situations. 
Forensic Analysis Knowledge of concepts and practices of processing digital forensic data: 
e which system files (e.g., log files, registry files, configuration files) 
contain relevant information and where to find those system files. 
е concepts and practices of processing digital forensic data. 
Incident Reporting Knowledge of incident categories and incident responses: 
and Management e incident response and handling methodologies. 
e target estimated repair and recuperation times. 
e enterprise incident response program, roles, and responsibilities. 
e crisis management protocols, processes, and techniques. 
Intrusion and Knowledge of the latest intrusion techniques, methods and documented 
Malware Detection intrusions external to the organization: 
e malware analysis tools: Oily Debug, Ida Pro 
e malware with virtual machine detection 
e physical and physiological behaviors that may indicate suspicious 
or abnormal activity 
e malware analysis concepts and methodologies. 
e Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) 
tools and applications. 
Risk Management Knowledge of risk management processes: 
e methods for assessing and mitigating risk 


e Risk Management Framework 

e countermeasures for identified security risks. 

e risk scoring 

e risk assessment methodologies. 
Security Knowledge of cybersecurity and privacy principles: 
Fundamentals e Knowledge of cybersecurity and privacy principles and 


organizational requirements (relevant to confidentiality, integrity, 
availability, authentication, non-repudiation). 
information security systems engineering principles 
information technology (IT) security principles and methods 
key concepts in security management 
defense-in-depth principles and network security architecture 
emerging security issues, risks, and vulnerabilities. 
security management. 
cyber lexicon/terminology 
current and emerging cyber technologies. 
Threat & Knowledge of cyber threats and vulnerabilities: 
Vulnerabilities e vulnerability information dissemination sources 

e current and emerging threats/threat vectors. 

e risk/threat assessment. 

e cyber threat actors and their equities. 

e 

e 


ways in which targets or threats use the Internet. 
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Technology Trends 


Computer Knowledge of successful capabilities to identify the solutions to less 

Algorithms common and more complex system problems: computer algorithms, 
mathematics, 

Machine Learning Knowledge of machine learning theory and principles: 


e data mining and data warehousing principles 

e language processing tools and techniques 
Technology Trends & Knowledge of emerging technologies that have potential for exploitation 
Application 
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Table 23. Assignment of Knowledge Categories and Subcategory to EPES User Roles. 


Knowledge Category [Knowledge Subcategory | 1 о |з ае |е о вә [10] 11] аз 14] 15 | 16) 


Collection Collection Management 
Collection Process : - В в - В A B 
Collection Tools 


communion Networks 


N [Security Admin 
Power Plant Oper. 


Facility Oper. (PP) 
Subst. Engineer 


= 
Ф 
[^] 
б 
с 
> 
Ф 
2 
> 
5 
[5] 
o 
x 
ы 


u [Field Engineer 
N [Energy Trader 
AMI and DSM 
OT Manager / 
Comm. Admin 
Subst. Operator 
Building EM 
Developers 


[9°] 


Communication Communication Fundamentals B A B M A M M M M 

Networks Communication Technology M B M B M M : 
Network Architectures B M B M M A A A M 
Network Management M M B M A M A 
Network Protocols A - M B B - В М А M A 
Network Security A B M M M A 


Information ia Communion m 


Information and Database B M B B M A 
Communication Hardware у B M B M B B M M A B 
Technologies IT Architectures M B M B B M B 
IT Systems A B M B B B M B B M B B B 
Media Storage Devices M B M B A B A B 
Operating Systems M B M B B B B M B B B 
Programming B B B A A 
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Web Applications 


сане а Management 


Information Asset Management A A ВИ DM | ZS B M A B M B M B 
Management Data Management M B B 5 м M В В В M M à 
Data Processing - - В В B M B B B B 
Data Security B B B B 


Law " ARR 


Law and Regulations Law and Regulations M M B 


Organisational — and Company — 


Organisational Customer and Partners 

Procedures and Deconfliction i B B С 

Company Policies Human Resources A B B B B B 
Intelligence B M B 
Learning Process M B B B B 
Maturity Models A M B B A B B 
Organisation Policy and Procedures A M B B B B B B B B B 
Security Policies B A B B B B B B B 
Targeting and Tasking A B B B 
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Subst. Engineer 
Subst. Operator 
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 |Executive Manager 
кә Security Admin 
w Power Plant Oper. 
Facility Oper. (PP) 
Field Engineer 
System Oper. / 
Energy Trader 
AMI and DSM 
OT Manager / 
Comm. Admin 
Building EM 
Developers 


Security Access Control rd B 
Cyber Attacks s B s : B 5 В s 
Cyber Defense A В B B B B B B B 
Encryption M B B B 
Ethical Hacking A B B B B B M 
Forensic Analysis A B B B B B 
Incident Reporting and A A M A B M A M B B B 
Management 
Intrusion and Malware Detection A В B B B B M M 
Risk Management B A B B B B B B 
Security Fundamentals B - B - - - В В В - ; B B - 
Threat & Vulnerabilities B B B B B 
Technology Trends Computer Algorithms 
Machine Learning à : : 
Technology Trends & Application M B B B B B B B B B B 
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5.4 Skills 


This section provides the result of the analysis of cybersecurity skills required for each User Role: 


e Table 24 lists the skill categories and subcategories and provides some example about the skills 
in each subcategory. 

e Table 25 identifies which skill categories and subcategory are assigned to each user role. In this 
case, different skill levels (Basic, Medium, Advanced) have not been considered. 

e The final set of skills for each role is provided in Annex |. 


Table 24. Knowledge Categories and Subcategories 


Collection 


Collection Tools e. 


Skill to extract information from available tools and applications 
associated with collection operations management. 

Skill to use collaborative tools and environments for collection 
operations. 


Cybersecurity 


Access Control e Skill in applying host/network access controls (e.g., access control list). 

e Skill in developing and applying security system access controls. 

e Skill in maintaining directory services. 

Cyber Attacks e Skill in the use of social engineering techniques. 
e Skill in recognizing and interpreting malicious network activity in traffic. 
e Skill in recognizing denial and deception techniques of the target. 
Cyber Defense е Skill in discerning the protection needs and evaluating the adequacy of 
security designs. 

e Skill in implementing and maintaining network security practices. 

e Skill in configuring and utilizing software-based protection tools. 

e Skill in protecting a network against malware. 

e Skill in applying security controls. 

e Skill in designing multi-level security/cross domain solutions. 

e Skill in system, network, and OS hardening techniques. 

e Skill in auditing firewalls, perimeters, routers, and intrusion detection 
systems. 

e Skill to apply cybersecurity and privacy principles to organizational 
requirements (relevant to confidentiality, integrity, availability, 
authentication, non-repudiation). 

Encryption e Skill in developing and deploying signatures and hash functions. 

e Skill in using Virtual Private Network (VPN) devices and encryption. 

e Skill in using Public-Key Infrastructure (РКІ) encryption and digital 
signature capabilities into applications. 

e Skill in assessing the application of cryptographic standards. 

Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, 
secure hashes, check constraints, etc.). 
Ethical Hacking e Skill in the use of penetration testing tools and techniques. 
Forensic Analysis e Skill in identifying and extracting data of forensic interest. 
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e Skill in setting up a forensic workstation. 

e Skill in using forensic tool suites. 

e Skill in conducting forensic analyses in multiple environments. 
e Skill in deep analysis of captured malicious code. 

e Skill in reviewing logs to identify evidence of past intrusions. 


Incident Reporting e Skill in using incident handling methodologies. 
and Management e Skillin using security event correlation tools. 
e Skill in applying crisis planning procedures. 
e Skill to respond and take local actions in response to threat sharing 
alerts from service providers. 
Intrusion and e Skill in detecting host and network-based intrusions via intrusion 
Malware Detection detection technology. 


e Skill in analysing anomalous code as malicious or benign. 
e Skill in analysing malware. 
e Skill of identifying, capturing, containing, and reporting malware. 
Risk Management e Skill in designing countermeasures to identified security risks. 
e Skill in performing impact/risk assessments. 
e Skill to use risk scoring to help organizations to identify, assess, and 
manage cybersecurity risk. 


Security e Skill in applying confidentiality, integrity, and availability principles. 

Fundamentals e Skill in designing security controls based on cybersecurity principles. 
e Skill in applying security models. 

Threat & e Skill in recognizing and categorizing types of vulnerabilities and 

Vulnerabilities associated attacks. 


e Skill in using network analysis tools to identify vulnerabilities. 

e Skill in conducting application vulnerability assessments. 

e Skill in identifying cyber threats which may jeopardize organization 
and/or partner interests. 

e Skill in interpreting vulnerability scanner results to identify 
vulnerabilities. 

e Skill to anticipate new security threats. 


Network and Communications 


Communication e Skill in survey, collection, and analysis of wireless LAN metadata. 
Technology e Skill in using non-attributable networks. 

e Skill in wireless network target analysis, templating, and geolocation. 
Network e Skill in applying various subnet techniques. 
Architectures e Skill in setting up physical or logical sub-networks that separate an 


internal local area network (LAN) from other untrusted networks. 

Skill in analysing traffic to identify network devices. 

Skill in determining the physical location of network devices. 

Skill in identifying a target's communications networks. 

Skill in identifying the devices that work at each level of protocol 

models. 

e Skill in using trace route tools and interpreting the results as they apply 
to network analysis and reconstruction. 
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Network e Skill in analysing network traffic capacity and performance 
Management characteristics. 
e Skill in diagnosing connectivity problems. 
e Skill in installing, configuring, and troubleshooting LAN and WAN 
components such as routers, hubs, and switches. 
e Skill in using network management tools to analyse network traffic. 
e Skill in using protocol analysers. 
e Skill in network systems management principles, models, methods апа 
tools. 
e Skill in extracting information from packet captures. 
ICT 
Database e Skill in generating queries and reports and using Boolean operators to 
construct simple and complex queries. 
e Skill in maintaining databases. 
e Skill in optimizing database performance. 
Hardware e Skill in tuning sensors. 
e Skill in physically disassembling PCs. 
IT Systems e Skill in designing the integration of hardware and software solutions. 
e Skill in identifying possible causes of degradation of system 
performance. 


e Skill in conducting system/server planning, management, and 
maintenance. 

e Skill in correcting physical and technical problems that impact 
system/server performance. 
Skill in installing system and component upgrades. 
Skill in monitoring and optimizing system/server performance. 
Skill in recovering failed systems/servers. 
Skill in determining installed patches on various operating systems and 
identifying patch signatures. 

e Skill in server administration. 
Operating Systems e Skill in identifying, modifying, and manipulating applicable system 
components within Windows, Unix, or Linux. 
Skill in using virtual machines. 
Skill in operating system administration. 


Programming e Skill in writing code in a currently supported programming language. 
e Skill in writing scripts using В, Python, PIG, HIVE, SQL, etc. 
e Skillin interpreting compiled and interpretive programming languages. 
e Skill in remote command line and Graphic User Interface (GUI). 
e Skill in applying secure coding techniques. 
e Skill in conducting software debugging and interpreting results of 
debugger to ascertain tactics, techniques, and procedures. 
Software e Skillin writing and conducting test plans. 
Development e Skill in configuring and optimizing software. 
e Skill in design modelling and building use cases. 
e Skill in designing and documenting overall program Test & Evaluation 
strategies. 
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Information management 


Asset Management e Skill to access information on current assets available, usage. 
e Skill to identify sources, characteristics, and uses of the organization's 
data assets. 
Data Management e Skill in using knowledge management technologies. 
e Skill in using multiple search engines and tools in conducting open- 
source searches. 
Data Processing e Skillin designing a data analysis structure. 
e Skill in developing data models and dictionaries. 
e Skill in data pre-processing and performing format conversions to 
create a standard representation of the data. 
e Skill in developing machine understandable semantic ontologies. 
e Skill in conducting social network analysis. 
e Skill in creating and extracting important information from packet 
captures. 
e Skill in evaluating and interpreting metadata. 
e Skill in using data analysis tools. 
Law and Regulations e Skill in preserving evidence integrity according to standard operating 
procedures or national standards. 
e Skill in complying with the legal restrictions for targeted information. 


Organisational Procedures and Company Policies 


Customer and e Skill in interfacing with customers. 
Partners e Skillin managing client relationships. 
e Skill in negotiating vendor agreements and evaluating vendor privacy 
practices. 
e Skill to analyse and assess internal and external partner reporting. 
Intelligence e Skill in developing intelligence reports. 


Organisation Policy — e Skill іп applying organization-specific systems analysis principles and 
and Procedures techniques. 

e Skill to compare indicators/observables with requirements. 

e Skill to craft indicators of operational progress/success. 


Technology Trends 


Computer e Skill in creating and utilizing mathematical or statistical models. 
Algorithms e Skill in using scientific rules and methods to solve problems. 
Machine Learning e Skill in data mining techniques. 


Technology Trends & e Skill to remain aware of evolving technical infrastructures. 
Application 


Personal Skills 


Personal Skills e Skill in preparing and presenting briefings. 
e Skill in preparing plans and related correspondence. 
e Skill in reviewing and editing plans. 
e Skill in writing effectiveness reports. 
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Table 25. Assignment of Skill Categories to EPES User Roles. 


ower Plant Oper. 
Id Engineer 
nergy Trader 
bst. Engineer 
evelopers 
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| Knowledge Category | Knowledge Subcategory [1121314156171 8] 9 | 10| 11] 12/13] 14 


Executive Manager 
ecurity Admin 
acility Oper. (PP) 

System Oper. / 

Engineer 

AMI and DSM 

OT Manager / 

Comm. Admin 
ubst. Operator 


Building EM 


le 


F 


Collection Collection Management 
Collection Process 
Collection Tools X X 
Communication Communication Technology X X X 
Networks Network Architectures X X X 
Network Management X X X 
Information and Database X X X X X X X X X X X X X X 
Communication Hardware X X 
Technologies IT Systems X X X X X X X X X X X X X X X X 
Operating Systems X X X 
Programming X 
Software Development X X X 
Information Asset Management X | X |X | xX | xX | XxX | x x | xX | x |x X 
Management Data Management X X X X X X X X X X X X X X X X 
Data Processing X X X X X X X X X X X X X X X X 
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System Oper. / 
AMI and DSM 
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Law and Regulations Law and Regulations 


Organisational procedures and Company Policies 


Organisational Customer and Partners X X 

Procedures and Human Resources 

Company Policies Intelligence X X 
Learning Process 


Organisation Policy and Procedures X X X X X X 


ubst. Operator 


uilding EM 


evelopers 


[e] 


15 


Security Access Control X X 
Cyber Attacks X X 
Cyber Defense X X 
Encryption X 
Ethical Hacking X X 
Forensic Analysis X X 
Incident Reporting and X 
Management 
Intrusion and Malware Detection X 
Risk Management X X 
Security Fundamentals X X 
Threat & Vulnerabilities X 


x x х Xx 
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кә Security Admin 
Power Plant Oper. 
Facility Oper. (PP) 
Energy Trader 
Subst. Engineer 
Subst. Operator 
Building EM 
Developers 


иштїї н А ОЕ АЕ Ее 


Technology Trends Computer Algorithms 
Machine Learning ' 
Technology Trends & Application 


илт Skills 


Personal Skills Personal Skills 


+ |Executive Manager 
AMI and DSM 
OT Manager / 
Comm. Admin 


v Field Engineer 
System Oper. / 
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5.5 Abilities 
This section provides the result of the analysis of cybersecurity abilities required for each User Role: 


e Table 26 lists the ability categories and subcategories and provides some example about the 
skills in each subcategory. 

e Table 27 identifies which ability categories and subcategory are assigned to each user role. In 
this case, different ability levels (Basic, Medium, Advanced) have not been considered. 

e The final set of abilities for each role is provided in Annex І. 


Table 26. Knowledge Categories and Subcategories 


Cybersecurity 


Cyber Attacks e Ability to identify/describe techniques/methods for conducting 
technical exploitation of the target. 
Cyber Defense e Ability to prioritize and allocate cybersecurity resources correctly. 


e Ability to conduct a comprehensive assessment of the management, 
operational, and technical security controls. 

e Ability to assesses a security plan. 

e Ability to identify critical infrastructure systems. 

Forensic Analysis e Ability to conduct forensic analyses. 

Incident Reporting e Ability to design incident response for cloud service models. 

and Management 

Intrusion and e Ability to analyse malware. 

Malware Detection е Ability to apply techniques for detecting host and network-based 
intrusions using intrusion detection technologies. 

Risk Management e Ability to apply supply chain risk management standards. 

e Ability to provide an assessment of the severity of weaknesses or 
deficiencies discovered in the system. 

e Ability to recognize that changes to systems or environment can 
change residual risks. 

Security е Ability to monitor advancements in information privacy technologies to 
Fundamentals ensure organizational adaptation and compliance. 

e Ability to understand the basic concepts and issues related to cyber 
and its organizational impact. 

e Ability to apply cybersecurity and privacy principles to organizational 
requirements (relevant to confidentiality, integrity, availability, 
authentication, non-repudiation). 

e Ability to conduct systems security engineering activities. 

e Ability to find and navigate the dark web using the TOR network to 
locate markets and forums. 

Threat & e Ability to conduct vulnerability scans and recognize vulnerabilities in 
Vulnerabilities security systems. 
e Ability to identify/describe target vulnerability. 
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Communication Networks 


Network e Ability to apply network security architecture concepts including 
Architectures topology, protocols, components, and principles. 
Ability to design and build architectures and frameworks. 
e Ability to set up physical or logical sub-networks that separates an 
internal local area network (LAN) from other untrusted networks. 
Network e Ability to operate common network tools. 
Management e Ability to operate network equipment including hubs, routers, 
switches, bridges, servers, transmission media, and related hardware 
* Ability to track the location and configuration of networked devices 
and software across departments, locations and facilities. 
e Ability to monitor traffic flows across the network. 
e Ability to perform network collection tactics, techniques, and 
procedures to include decryption capabilities/tools. 
e Ability to interpret the information collected by network tools. 


Information and Communication Technologies 


Database * Ability to maintain databases. (i.e., backup, restore, delete data, 
transaction log files, etc.). 
IT Systems e Ability to apply secure system design tools, methods and techniques. 
* Ability to monitor measures or indicators of system performance and 
availability. 


e Ability to operate different electronic communication systems and 
methods (e.g., e-mail, VOIP, IM, web forums, Direct Video Broadcasts). 
e Ability to integrate information security requirements into the 
acquisition process. 
Operating Systems e Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat). 
e Ability to examine digital media on multiple operating system. 
Programming e Ability to apply programming language structures and logic. 
e Ability to develop secure software according to secure software 
deployment methodologies, tools, and practices. 
e Ability to employ best practices when implementing security controls. 
Software * Ability to capture and refine security requirements and ensure that are 
Development effectively integrated into the component products and systems. 
e Ability to collect, verify, and validate test data. 
e Ability to apply system design tools, methods, and techniques, 
including automated systems analysis and design tools. 
Ability to execute technology integration processes. 
e Ability to interpret and translate customer requirements into 
operational capabilities. 
Data Security e Ability to ensure information security management processes are 
integrated with strategic and operational planning processes. 
* Ability to establish the rules for appropriate use and protection of the 
information. 
Data Processing e Ability to decrypt digital data collections. 
e Ability to translate data and test results into evaluative conclusions. 
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e Ability to use data visualization tools. 

e Ability to evaluate information for reliability, validity, and relevance. 

e Ability to evaluate, analyse, and synthesize large quantities of data. 

Law and Regulations 
Law and Regulations Ability to determine whether a security incident violates a privacy 

principle or legal standard requiring specific legal action. 

* Ability to monitor and assess the potential impact of emerging 
technologies on laws, regulations, and/or policies. 

e Ability to interpret and apply laws, regulations, policies, and guidance 
relevant to organization cyber objectives. 

e Ability to monitor advancements in information privacy laws to ensure 
organizational adaptation and compliance. 

e Ability to author a privacy disclosure statement based on current laws. 


Organisational Procedures and Company Policies 


Customer and e Ability to evaluate the trustworthiness of the supplier and/or product. 
Partners e Ability to identify external partners with common cyber operations 
interests. 


e Ability to interpret and translate customer requirements. 
* Ability to tailor technical and planning information to a customer's level 
of understanding. 
* Ability to ensure that functional and security requirements are 
appropriately addressed in a contract. 
Human Resources * Ability to assess and forecast manpower requirements to meet 
organizational objectives. 
Ability to determine the validity of workforce trend data. 
Ability to apply approved planning development and staffing processes. 
Ability to prepare and deliver education and awareness briefings. 
Ability to gauge learner understanding and knowledge level. 
Ability to provide effective feedback to students for improving learning. 
Ability to apply principles of adult learning. 
Ability to develop clear directions and instructional materials. 
Ability to develop curriculum for use within a virtual environment. 
Ability to apply the Instructional System Design (ISD) methodology. 
Ability to conduct training and education needs assessment. 
Ability to identify intelligence gaps. 
Ability to utilize multiple intelligence sources across all intelligence 
disciplines. 
Security Policies e Ability to develop policy, plans, and strategy in compliance with laws, 
regulations, and standards in support of organizational cyber activities. 
e Ability to work across departments and business units to implement 
organization's privacy principles align with security objectives. 
Organisation Policy е Ability to coordinate cyber operations with other organization 
and Procedures functions or support activities. 
e Ability to coordinate, collaborate and disseminate information to 
subordinate, lateral and higher-level organizations. 


Learning Process 


Intelligence 
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e Ability to ensure the organization has adequately trained personnel to 
assist in complying with security requirements in legislation, Executive 
Orders, policies, directives, instructions, standards, and guidelines. 

* Ability to coordinate with senior leadership of an organization to 
develop a risk management strategy for the organization. 

e Ability to work closely with authorizing officials to help ensure that 
security considerations are integrated. 


Technology Trends 


Computer e Ability to use and understand complex mathematical concept. 
Algorithms e Ability to interpret and understand complex and rapidly evolving 
concepts. 


e Ability to design capabilities to find solutions to less common and more 
complex system problems. 

Machine Learning e Ability to develop or recommend analytic approaches or solutions to 
problems and situations for which information is incomplete or for 
which no precedent exists. 

Technology Trends & өе Ability to leverage best practices and lessons learned of external 

Application organizations and academic institutions dealing with cyber issues. 

e Ability to understand technology, management, and leadership issues 
related to organization processes and problem solving. 

Personal Skills e Ability to answer questions in a clear and concise manner. 

e Ability to ask clarifying questions. 

е Ability to communicate complex information, concepts, or ideas in a 
confident and well-organized manner. 

Ability to facilitate small group discussions. 

e Ability to prepare and present briefings and produce technical 
documentation. 

e Ability to design valid and reliable assessments. 

e Ability to apply critical reading/thinking skills. 

* Ability to function in a collaborative environment, seeking continuous 
consultation with other analysts and experts to leverage analytical and 
technical expertise. 

e Ability to think critically. 

e Ability to understand objectives and effects. 

Ability to recognize and mitigate deception in reporting and analysis 
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Table 27. Assignment of Knowledge Categories and Subcategory to EPES User Roles. 
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Communication Network Architectures 

Networks Network Management 
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Technologies Operating Systems X X 


Programming 
Software Development 
Information Data Processing : - X 
Management Data Security 


ET an Regulations 


Law and Regulations Law and Regulations 
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Organisational Customer and Partners 
Procedures and Human Resources Ў 
Company Policies Intelligence X 


Organisation Policy and Procedures X X 
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Security Policies X X X 
Security Cyber Attacks X 

Cyber Defense X X X 

Forensic Analysis X 

Incident Reporting and X 

Management 

Intrusion and Malware Detection 

Risk Management X X X X 

Security Fundamentals X X X X X X X X X X X X X X X X 

Threat & Vulnerabilities X 


Technology Trends 
Technology Trends Computer Algorithms 

Machine Learning 

Technology Trends & Application 


Personal Skills 


Personal Skills Personal Skills X X X X X X X X X X X X X X X X 
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6 Evaluation Tool 


The objective of the Evaluation Tool is to measure the Maturity Level of an Energy Company regarding 
the Cybersecurity Awareness Maturity Model described in Section 4. 


This tool, developed in EXCEL, helps a company to assess which processes have been deployed 
satisfactorily, which have not been deployed and which have been deployed partially. With this 
information the tool elaborates a set of tables and graphs showing level of maturity of the company. 


The tool contains the following elements: 


Cover form. It provides general information of the tool: name, version, brief description, ... 
Evaluation summary form. 

Level 2 (people managed) results presentation form. 

Level 3 (competency managed) results presentation form. 

Processes assessment form. 


ur ow = 


The following sections present the elements of the Evaluation Tool. 


6.1 Colour Code 

The evaluation tool uses a colour code to shows if a practice or a process has been totally satisfied 
(green) partially satisfied (yellow) or not satisfied (red) by the company. Table 28 provides a brief 
explanation of the colour meaning. 


Table 28. Colour code used in the Evaluation Tool 


ed The purpose of the practice is judged as absent or poorly addressed within the set of 
implemented practices - deficiencies or problems were identified that will impede the 
achievement of the goal in the case that the deployment is carried out in this way 
throughout the organizational unit. 


The purpose of the practice is judged as partially addressed within the set of practices 
implemented - deficiencies or problems that could threaten the achievement of the 
goal were identified in the case that the deployment was carried out in this way 
throughout the organizational unit 


The purpose of the practice is judged as adequately addressed within the set of 
implemented practices - in a way that would allow the goal to be met in the case that 
the practice was deployed throughout the organizational unit. 


White The practices are not applicable in the context of the organization. 
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6.2 Cover Form 
It provides general information of the tool as it is shown in Figure 22. 


SDN-uSense 


Project No. 833955 
Project acronym: SDN-microSENSE 


Project title: 
SDN - microgrid reSilient Electrical eNergy SystEm 


Deliverable D3.4 


Energy-related Personnel & Processes Readiness Evaluation 


Cybersecurity Capability Maturity Model 
Evaluation Tool 


The Cybersecurity Awareness Maturity Model measure how effectively and efficiently an energy 
company is training its employees on cybersecurity issues. 


The objective of the Evaluation Tool is to measure the Maturity Level of an Energy Company 


regarding the Cybersecurity Awareness Maturity Model 


Programme: H2020-SU-DS-2018 
Start of the project: 01.05.2019 
Duration: 36 months 


Editor: TECNALIA 


Due date of the deliverable: 30/06/2020 Actual submission date: xx/yy/zzzz 
This project has received funding from the European Union’s Horizon 2020 Е 
research and innovation programme under grant agreement No 833955 


Figure 22. Evaluation tool. Tool description form. 
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6.3 Evaluation Summary form 
This form provides the summary of the whole evaluation process. The user can have a global idea about 
the level of deployment of the Cybersecurity Awareness & Training Model in the company. 


The main elements of this form are the followings: 


1. Model levels: provides a brief description of each level and the degree of development 
achieved by the company. You can click in the level name to go to the corresponding level 
form. 

2. Process: Show a brief description of each process and the degree of development achieved by 
the company. You can click in the level name to go to the corresponding level form. 


Figure 23 shows an example of the Evaluation Summary Form, where we can appreciate how level 2 
(People Managed) has been satisfied (green colour) as all the processes of this level have been 
satisfied. On the contrary Workforce Planning process has not been satisfied at level 3 (Competency 
Managed) and the other three processes have been satisfied partially. Therefore, the Competence 
Managed Level is considered partially satisfied (yellow colour). This can be more clearly appreciated in 
Figure 24 and Figure 25. 


Cybersecurity Awaraness & Training Model - Evaluation Summary 


Global Graphs 


Description Satisfied Processes Purpose Satisfied 
Cvbersecurity Competence [ШЕП the {ресе knowledge, dile, ang poss 
Stee eee abilities required to perform the organization’s business 47% 
Analysis ЕСК * А 2 
activities in the in the most security possible way. 
People are trained and qualified Та а" | Enhance constantly the capability of the workforce to 
Competence according to their roles in the Development perform its assigned tasks and responsibilities. 
M d company and according to the Enable the workforce’s full capability for making decisions 
Managed threats they or the equipment and Participatory Culture that affect the performance of business activities oriented to 
systems they handle may suffer. detect cybersecurity risks. 


Coordinate workforce activities with current and future 
Workforce Planning cybersecurity needs at both the organizational and role 
levels. 
Establish a formal process by which committed work 
regarding cybersecurity needs is matched to unit resources 
and qualified individuals are recruited, selected, and 
transitioned into assignments. 
Ensure that all individuals have the knowledge and skills 
Training and Development required to perform their assignments and activities related 
Managers take responsibility for to cybersecurity. 
People managing and developing the Establish timely communication throughout the organization 
Managed awareness and training of the Communication & and to ensure that the personnel has the skills to share 
workforce. Coordination cybersecurity information and that this information are 
efficiently coordinated. 
Establish and maintain physical working conditions and to 
provide resources that allow individuals and workgroups to 


Staffing 


Work Environment perform the detection of intrusions efficiently and also to 

avoid unintentionally security incidents caused by the 
personnel. 

Awareness and training practices are 

1 Initial applied inconsistently or in reactive No processes have been defined in this level 
manner 
Figure 23. Evaluation tool. Evaluation summary form. 
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Description Satisfied 


People are trained and qualified 
according to their roles in the 
company and according to the 
threats they or the equipment and 
systems they handle may suffer. 


Competency 
Managed 


Managers take responsibility for 
People managing and developing the 
Managed awareness and training of the 
workforce. 


Awareness and training practices are 
1 Initial applied inconsistently or in reactive 
manner 


Figure 24. Evaluation summary form. Compliance degree of each maturity level. 


Cybersecurity Awaraness & Training Model - Evaluation Summary 


Global Graphs 


Purpose Satisfied 


Identify the cybersecurity knowledge, skills, and process 
abilities required to perform the organization’s business 47% 
activities in the in the most security possible way. 

Enhance constantly the capability of the workforce to 
perform its assigned tasks and responsibilities. 

Enable the workforce’s full capability for making decisions 
that affect the performance of business activities oriented to 
detect cybersecurity risks. 

Coordinate workforce activities with current and future 
cybersecurity needs at both the organizational and role 
levels. 

Establish a formal process by which committed work 
regarding cybersecurity needs is matched to unit resources 
and qualified individuals are recruited, selected, and 
transitioned into assignments. 

Ensure that all individuals have the knowledge and skills 
required to perform their assignments and activities related 
to cybersecurity. 

People Establish timely communication throughout the organization 
Мапағеа and to ensure that the personnel has the skills to share 
cybersecurity information and that this information are 
efficiently coordinated. 

Establish and maintain physical working conditions and to 
provide resources that allow individuals and workgroups to 
perform the detection of intrusions efficiently and also to 
avoid unintentionally security incidents caused by the 
personnel. 


Competency 
Мапареа 


1 Initial No processes have been defined in this level 


Figure 25. Evaluation summary form. Compliance degree of each process. 
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Figure 26 
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Figure 26. Evaluation tool. Statistical graphs 


6.4 Level 2 Evaluation Summary Form 

This form provides the summary of the Level 2 (People Managed) evaluation process. The user can 
have a global idea about the degree of deployment of the processes of the People Managed level. 
Figure 27 shows an example of the People Managed Level Summary Form. 


Global View LEVEL 2 - PEOPLE MANAGED 


Level 2 Graphs 


Practices Satisfied 
Pract 9 | Pract 10 | Pract 11| Pract 12 | Pract 13 | Pract 14 | Pract 15 | Pract 16 | Pract 17 | Pract 18 | Pract 19 


Objectives Satisfied 
Total Pract 1 | Pract 2 | Pract 3 | Pract 4 | Pract 5 | Pract 6 | Pract 7 | Pract 8 


Objective 1 
Objective 2 
Objective 3 


Objective 4 


Practices Satisfied 
Pract 1 | Pract 2 | Pract 3 | Pract 4 | Pract 5 | Pract6 | Pract 7 | Pract 8 | Pract 9 |Pract 10 


Practices Satisfied 


Pract 1 | Pract 2 | Pract 3 | Pract 4 | Pract 5 | Pract6 | Pract 7 | Pract 8 | Pract 9 | Pract 10 


Objectives Satisfied 
Total 


Objectives Satisfied 


Communication 

& Coordination Mee c 

um Objective 2 
Objective 3 


Objectives Satisfied 
Total 


Practices Satisfied 
Pract 4 | Pract 5 


Pract 1 | Pract 2 | Pract 3 Pract6 | Pract 7 | Pract 8 | Pract 9 


Figure 27. Evaluation tool. Level 2, People Managed, evaluation summary form. 
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Figure 28 shows the statistical graphs representing the percentage of achievement for each process of 
level 2, People Managed. 


Global View LEVEL 2 - PEOPLE MANAGED 
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Figure 28. Evaluation tool. Level 2 statistical graphs 


6.5 Level 3 Evaluation Summary Form 

This form provides the summary of the Level 3 (Competency Managed) evaluation process. The user 
can have a global idea about the degree of deployment of the processes of the Competency Managed 
level. Figure 29 shows an example of the Competency Managed Level Summary Form. 


Global View LEVEL 3 - COMPETENCY MANAGED 


Level 3 Graphs 


Practices 


Pract3 | Pract4 | Pract5 | Pract6 | Pract7 | Pract8 


Objectives Satisfied 
Cybersecurity Total 4796 


Competency Objective 1 


Analysis Objective 2 25% 
Objective 3 17% 


Objectives Satisfied 


Practices 


Pract4 | Pract5 | Pract6 | Pract7 | Pract8 


Cybersecurity 
Total 1996 


Competency 

Objective 1 13% 
Development -—— 

Objective 2 2596 


Objectives Satisfied 
Participatory Total 
Culture 


E] 
Objectives Satisfied 
Total 17% 


Workforce - 

Plannin Objective 1 
Objective 2 
Objective 3 


Figure 29. Evaluation tool. Level 3, Competency Managed, evaluation summary form. 


Practices 
Pract 4 Pract 5 Pract 6 Pract 7 


Pract 3 


Practices 
Pract 4 Pract 5 Pract 6 Pract 7 Pract 8 Pract 9 


Figure 30 shows the statistical graphs representing the percentage of achievement for each process of 
level 3, Competency Managed. 
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Global View LEVEL 3 - COMPETENCY MANAGED М " "S 
Cybersecurity Competency Analysis Participatory Culture 
cybersecurity —— есче з ME 
Objective 2 ese t 
Competency 
Analysis Objective 2 MiNEMEEMEMENN 
Objective 1 lit ee 
Objective 1 
Cybersecurity Satisfied % Partially SaaS 
Competency Objective 1 13% 0% 20% 40% 60% 80% 100% 096 20% 40% 60% 80% 100% 
Development 5% 
Development objective z m%Not =% Partially m% Yes m%Not =% Partially m% Yes 
EDI Satisfied % Partially 
e S Objective 1 . л 
BELTS Objective 2 Cybersecurity Competency Workforce Planning 
Development 
Satisfied % Partially Objective 3 
Workforce Objective 1 Objective 2 
2 r 


Planning 


Objective 2 
Objective 3 


Eod 
===) 
Objective 1 ШШ — 


0% 20% 40% 60% 80% 100% 


MX Not m9% Partially m9% Yes 


Objective 2 


шча 


0% 20% 409 60% 80% 100% 


m%Not 8 % Partially m% Yes 


Figure 30. Evaluation tool. Level 3 statistical graphs 


6.6 Process Assessment Forms 
Information about the level of deployment of each process in a company can be introduced in the 
Process data Entry Forms. Figure 31 and Figure 32 show the Process Assessment Forms of two 


processes: Staffing and Training and Development. 
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e SDN-uSense Cybersecurity Awaraness & Training Evaluation Tool 
Level 2 - People Managed 


Global View 


Staffing Process 


Establish a formal process by which committed work regarding cybersecurity needs is matched to unit resources and qualified individuals are recruited, selected, and transitioned into 
assignments. 

Objective1 Individuals or workgroups in each unit are involved in making commitments that balance the unit's workload with approved staffing. 

Objective 2 Candidates are recruited for open positions. 

Objective3 Staffing decisions and work assignments are based on an assessment of work qualifications and other valid criteria. 

Objective4 Individuals are transitioned into and out of positions in an orderly way. 


EA SS 


A unit’s work is analyzed to determine the types of tasks that requires cybersecurity 


Purpose 


А Each unit analyses its work to determine the cybersecurity skills L] 3 
Practice 1 ifed Yes measurements and effort required to perform them. 
require: 
3 []  Thetypes of skills (cybersecurity skills) needed to perform proposed work are identified 
Individuals are involved in reviewing the cybersecurity measurements to be adopted in their 
О 
work 
Individuals and workgroups participate in making commitments О Individuals or workgroups are involved in estimating the resources, effort, and schedule required 
Practice 2 for cybersecurity measurements they have to adopt and N/A to deploy cybersecurity measurements to accomplish the work that they have been allocated. 
perform L] individuals or workgroups establish commitments they will be held accountable for meeting. 
О Individuals or workgroups are involved in reviewing progress against commitments and, when 
necessary, making changes to the commitments regarding their work 
| Each unit documents cybersecurity commitments that balance 
Practice 3 No 


its workload with available staff and other required resources 
Individual cybersecurity assignments are managed to balance 

Practice 4 committed cybersecurity measurements among individuals and N/A 
units or groups. 


Figure 31. Evaluation tool. Staffing Process Assessment Form 
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(e &Ом-ибегве Cybersecurity Awaraness & Training Evaluation Tool 
Level 2 - People Managed 


Global View 


Training and Development Process 


Ensure that all individuals have the knowledge and skills required to perform their assignments and activities related to cybersecurity. The primary focus of Training and Development is on 


Purpose 2 са: - А ` x — 
p removing the gap between the current skills of each individual and the skills required to perform their assignments related to cybersecurity activities. 


Objective1 Individuals receive timely training that is needed to perform their work. 


eA llis d 


Identify cybersecurity knowledge and skills required for 


Practice 1 Yes [] Maintain records of knowledge and skills required. 
performing each individual's assigned tasks. = g 
The term “Critical Cybersecurity Skills” refers to: 
Practice 2 Identify the training needed in critical skills for each individual. Yes L] Execute specific cybersecurity procedures 


О Use equipment effectively 
The unit's training plan typically specifies: 


Е et 907 [] Training needed by each individual or workgroup to perform their assigned responsibilities 
Each unit develops and maintains a plan for satisfying its 


Practice 3 Yes g 


р Training to be provided to individuals or workgroups to support their development interests 
training needs. 


[]  Theschedule for when training is to be provided 
L]  Howthis training is to be provided 
Examples of training alternatives include the following 


Г] Classroom training 


К Individuals or groups receive timely training needed to perform L] Distance learning 
Practice 4 ^ ў Үеѕ 
their assigned tasks. L] Mentoring 
a Apprenticeships 
О Self-paced learning courses 
Figure 32. Evaluation tool. Training & Development Process Assessment Form 
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The main components of the form are the followings: 


1. Header: Shows the model level and process identification. 


б) SDN-uSense Cybersecurity Awaraness & Training Evaluation Tool 
v Level 2 - People Managed 


Global View 


The header includes two links: 


Global View | to the global view of the model 
Level 2 - People Managed to the Maturity Level 


2. Purpose of the Process: a brief description of the purpose of the process. 


Training and Development Process 


Ensure that all individuals have the knowledge and skills required to perform their assignments and activities 
related to cybersecurity. The primary focus of Training and Development is on removing the gap between the 
current skills of each individual and the skills required to perform their assignments related to cybersecurity 
activities. 


Purpose 


3. Objectives: Objectives or goals to be achieved. 


Objective 1 Individuals receive timely training that is needed to perform their work. 


4. Practices: Practices to be deployed to achieve a specific goal of the process. On the right three 
columns to specify whether the practice has been deployed ("Yes"), not deployed ("No") or 
partially deployed ("Partial"). 


Practices Satisty? | 
Identify cybersecurity knowledge and skills required for 


Practice 1 
performing each individual’s assigned tasks. 


Yes 


Practice 2 Identify the training needed in critical skills for each individual. Partial 


Each unit develops and maintains a plan for satisfying its 
Practice 3 аб F Р ШЕ Yes 
training needs. 
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5. Tips: suggestions or examples that can be used to deploy the practice. Two types of tips are 
provided. 


Practices [Tips d 
Practice 1 [] Maintain records of knowledge and skills required. 


The term "Critical Cybersecurity Skills" refers to: 
Practice 2 [] Execute specific cybersecurity procedures 
C] Use equipment effectively 
The unit's training plan typically specifies: 
Training needed by each individual or workgroup to perform their assigned responsibilities 
Practice 3 Training to be provided to individuals or workgroups to support their development interests 


The schedule for when training is to be provided 


OOOO 


How this training is to be provided 


6.7 Assessment Process 

The Evaluation Tool has been designed and developed to carry out an assessment of the deployment 
state of the maturity model in a company. This process could be done by the own company (self- 
assessment) or driven by external consultors (external appraisal). 


The effort required to carry out the assessment process will depend on the company size. Table 29 
provides an estimation of the required effort (in days) for the following company sizes: 


e Micro SMES (less than 10 people). 

e Small Companies (less than 100 people). 

e Medium companies (less than 250 people). 

e Single site large companies (more than 250 people) 
e Multi-site large companies (more than 250 people). 


Table 29. Effort estimation required to carry out the assessment 


Micro SME Self-assessment 5 days 
Small («100) Two options: 


1.Self-ssessment with the support of an external 7 days 
appraiser 


2.External appraisal (Documental Review + 
Interviews + Report Development + Final Results 
Presentation) 


12 days 


© SDN microSENSE consortium Page | 116 
Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 


Medium (<=250) External appraisal (Documental Review + 12 days 
Interviews + Report Development + Final Results 
Presentation) 
Large Single-site External appraisal (Documental Review + 14 days 
Interviews + Report Development + Final Results 
Presentation) 
Large Multi-site Depending on the number of sites. In the case of 24 days 
2 sites, for example 
The estimation has been done according to the following criteria: 
Self-assessment Micro (5 days) 
e 0.5 days approx. per process: 4 days 
e 1 day of self-analysis of results 
Self-assessment Small (7 days) 
e 0.75 days approx. per process: 6 days 
e 1 day of self-analysis of results 
SME External Appraisal (12 days) 
е 3 days of document review (3 hours approx. Per process: 24 hours) 
е 1 дау of interview per process + preparation of results report: 8 days 
e 1 day presentation of results 
Large Single site (14 days) 
е 4days of document review (4 hours approx. Per process: 32 hours) 
e 1 day of interview per process: 8 days 
e 1 дау preparation of results report 
e 1 day presentation of results 
Large Multisite (in the case of two sites = 24 days) 
e 5 days of document review (approx. 5 hours per process: 40 hours) 
е 1 дау of interview per process * 2 sites: 16 days 
e 2 day preparation of results report 
е 1 day presentation of results 
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7 Conclusions 

It is very important for an energy related company to identify the training required in its personnel 
related to cybersecurity aspects, and not only identify these needs, also it is necessary to establish a 
mechanism to ensure that personnel have all the required information and training. This is a key aspect 


to avoid the risks that occur due to carelessness or unintentional errors of the employees. The model 
presented in this document supports companies in the energy sector to improve the way they train 
personnel in cybersecurity. 


This document presents the Cybersecurity Awareness and Training Model for energy related personnel 
and processes. The proposed model has three main parts: 


The first part, the Cybersecurity maturity model has the objective of supporting energy related 
organisation in the definition of processes and practices that have to be defined and deployed 
in a company to improve the competency level of its personnel in cybersecurity aspects. It is 
based on People CMM. Although People CMM has five level of maturity, we have considered 
that the deployment of basic practices to acquire the required knowledge and skills in 
cybersecurity is achieved in the level 2 (People Managed) and in the level 3 (Competency 
Managed). The other levels of People CMM are aimed at organizations oriented to continuous 
improvement in an intensive way. These organizations must be able to quantitatively predict 
the benefit that a new improvement will bring them in their business activity. This extension 
of the model could be done afterwards due that the design of the model allows this kind of 
extensions. 

The second part, the Cybersecurity Competency model defines a set of knowledge and skill 
required to perform a specific job in a company. This competency model is based on the NIST 
NICE Framework but customising this framework to the specific cybersecurity necessities of 
the user roles defined in this project for an EPES stakeholder. A practical example of this 
competency model could be found in the Annex I, where for each user role is defined a table 
with information related to the assets, the threats associated to the assets, and the knowledge, 
skills and abilities. 

And finally, the evaluation tool supports the company to assess the processes that the energy 
related company has in place and to identify which are not implemented. Based on this 
information the tool provides information about the level of maturity of the company with 
respect to the implementation of the processes for training required in its personnel related 
to cybersecurity aspects. 
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Annex l. Activity Roles in an Energy Company 


This Annex contains a description of the different User Roles that have been defined for an Energy 
Company. Each Role description provides information about: 


e The main activity of the role 

е The list of company assets that are managed, controlled or operated by the roles. 
е Тһе list of threats suffered by the assets by the assets 

е The list of knowledge, skills and abilities to be adopted by the role. 


This information can be used by as a guideline to define the competences of each Role in the Company. 


Executive Manager 
Table 30 contains a detailed a description of the Executive Manager Role including assets, threats, 


knowledge, skills and abilities. 


Role Description 


Stakeholders 
Location 


Managed and 
controlled 
information 


Managed 
software 


Used services 


Used hardware 


Infrastructure 


Personnel 


Table 30. Executive Manager Role Description. 


Executive Manager 


The executive manager defines, executes, supervises and updates the operational plan 


of the organisation. 
All 
Office 


Inventory of Assets 
Operational 

Historical information 
Trending information: 
Trading information 
Databases: 


Applications 


Oriented to the staff 
Oriented to the network 


Clients 

Media devices 
Displays 

Human interaction 
Facilities 

User 

Operator 
Administrator 
Developer 


Executive manager must have the control of all the 
information of the company. 


Executive manager can access to different types of 
applications and databases can be accessed. Currently, 
there is a tendency to upload all the company's information 
to servers and repositories in the cloud. 

Mail, print service, authentication service, ... 

File service, network service, name service, address service, 


PC, Notebook, Tablet, mobile-phone, printer, ... 
External storage 

Monitor, Beamer 

Keyboard, Mouse 

Office, Control Centre. 


The executive manager is responsible of all the staff of the 
company. 


Threats & Vulnerabilities 
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Unintentional 
damage 
(accidental) 


Damage/Loss 
(IT Assets) 


Failures / 
Malfunction 
Eavesdropping / 
Interception / 
Hijacking 


Nefarious Activity 
/ Abuse 
Legal 


Credential Steel. 

As in the case of the System Administrators, Security Administrator are especial target 
of the hackers in order to steal his/her credentials to enter into the system. Special 
attention should be taken about the information that is published in the social 
networks, and the mail received. 

Erroneous use or administration of devices and systems. 

Definition of weak security policies: generic user accounts and passwords, password 
that does not expire, ... 

Using information from an unreliable source 

Unintentional change of data in an information system: LDAP, SIEM, SOC, ... 
Inadequate design and planning or lack of adaptation. 

Wrong definition of security procedures 

Damages resulting from a penetration testing due to a wrong design. 

Damage caused by a third party that is collaborating with the security department. 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Destruction of records, devices or storage media, for example because of a ransomware 
attack. 

Information leakage. 

Failure of devices or systems LDAP, SIEM, SOC, ... 

Failure or disruption of service providers LDAP, SIEM, SOC, ... 

Interception of information 

Replay of messages 

Man in the Middle / Session hijacking 

Repudiation of actions 


All threats should be considered. 


Violation of laws or regulations / Breach of legislation 
Failure to meet contractual requirements 
Unauthorized use of copyrighted material 


Knowledge 
Category Knowledge 


Communication Basic Basic knowledge about networks and communications 
Networks e Knowledge of the basic structure, architecture, and design of 
modern communication networks 
e Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 
Cybersecurity Basic e Knowledge of risk management processes 
e Knowledge of cybersecurity and privacy principles 
Information Basic e Knowledge of sources, characteristics, and uses of the 
Management organization’s data assets 
Laws and Medium e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Basic e Knowledge of organizational security policies 
Organisational Medium e Knowledge of training and education policies, processes, and 
procedures 
© SDN microSENSE consortium Page | 121 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 
Organisational Advanced e Knowledge of internal and external partner intelligence processes 
and the development of information requirements and essential 
information 
e Knowledge of deconfliction processes and procedures 
e Knowledge of organizational human resource policies, processes, 
and procedures. 
e Knowledge of organizational process improvement concepts and 
process maturity models 
e Knowledge about company organizational structure, roles and 
responsibilities 
e Targeting and Tasking 
Technology Trend Medium e Knowledge of emerging technologies that have potential for 


exploitation 


COE 


Collection e Skill to extract information from available tools and applications associated with 
collection requirements and collection operations management. 
e Skill to use collaborative tools and environments for collection operations. 
Cybersecurity e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
Information and e Skill in generating queries and reports. 
Communication 
Technologies 


Information e Skill to access information on current assets available, usage. 
Management e  Skillin using knowledge management technologies. 

e  Skillin conducting social network analysis. 

e Skill іп recognizing relevance of information. 

e  Skillin conducting information searches. 
Laws and e Skill in preserving evidence integrity according to standard operating procedures or 
Regulations national standards. 

e  Skillin complying with the legal restrictions for targeted information. 
Organisational e Skill in interfacing with customers. 


e  Skillin managing client relationships, including determining client 
needs/requirements, managing client expectations, and demonstrating 
commitment to delivering quality results. 

Skill in negotiating vendor agreements and evaluating vendor privacy practices. 
Skill to analyze and assess internal and external partner reporting. 

Skill in developing intelligence reports. 

Skill in applying organization-specific systems analysis principles and techniques. 
Skill to compare indicators/observables with requirements. 

Skill to craft indicators of operational progress/success. 


SSS ee ee O O 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 
Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
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Information e Ability to evaluate information for reliability, validity, and relevance. 
Management e Ability to ensure information security management processes are integrated with 
strategic and operational planning processes. 
Laws and e Ability to monitor advancements in information privacy laws to ensure 
Regulations organizational adaptation and compliance. 


Organisational 


Ability to author a privacy disclosure statement based on current laws. 

Ability to interpret and translate customer requirements into operational action. 
Ability to assess and forecast manpower requirements to meet organizational 
objectives. 

Ability to determine the validity of workforce trend data. 

Ability to utilize multiple intelligence sources across all intelligence disciplines. 
Ability to apply approved planning development and staffing processes. 

Ability to coordinate, collaborate and disseminate information to subordinate, 
lateral and higher-level organizations. 

Ability to relate strategy, business, and technology in the context of organizational 
dynamics. 

Ability to work across departments and business units to implement organization’s 
privacy principles and programs and align privacy objectives with security 
objectives. 

Ability to work closely with authorizing officials and their designated 
representatives to help ensure that security-related activities required across the 
organization are accomplished in an efficient, cost-effective, and timely manner 
Ability to develop policy, plans, and strategy in compliance with laws, regulations, 
policies, and standards in support of organizational cyber activities. 


Security Administrator 


Table 31 contains a detailed a description of the Security Administrator Role including assets, threats, 


knowledge, skills and abilities. 


Table 31. Security Administrator Role Description. 


Role | Security Administrator 


Security Administrator is the person responsible for the overall security of the company, 
overseeing and enforcing the cybersecurity policy, identification of an organization's 
assets (including people, buildings, machines, systems and information assets), and the 
development, documentation, and implementation of policies and procedures for 
protecting these assets. 


Role Description 


Stakeholders 
Location 


Managed and 


All 


Typically, security administrator belongs to the system and informatics department 
which daily does the maintenance of the servers and dealing with cyber-security events. 
Control Centre in case of a cyberattack. 


[Type Category Assets | 


Operational System state in case of an attack. 


Company staff, company assets, ... 


controlled Historical information А j 1 
К Е Cybersecurity procedures, actions, evidences, ... 
information DEED з : г 
Trending information: Historical suffered attacks. 
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System Configuration User credentials and access permission. 
Active directory (LDAP) for authorization and 
Managed Databases: ne y( 
ARN authentication. Personnel records. 
Applications Security Information Repository (SIEM, SOC, ...) 
Oriented to the staff Mail, print service, authentication service, ... 
Used services В File service, network service, name service, address service, 
Oriented to the network 
Clients PC, Notebook, Tablet, mobile-phone, printer, ... 
Media devices External storage 
Used hardware я 5 2 
Displays Monitor, Beamer 
Human interaction Keyboard, Mouse 
Infrastructure Facilities Office, Control Centre. 
User 
Operator 
Personnel В и 
Administrator 
Developer 


Threats & Vulnerabilities 


Credential Steel. 

As in the case of the System Administrators, Security Administrator are especial target of 
the hackers in order to steal his/her credentials to enter into the system. Special 
attention should be taken about the information that is published in the social networks, 
and the mail received. 

Erroneous use or administration of devices and systems. 

Definition of weak security policies: generic user accounts and passwords, password that 
does not expire, ... 

Using information from an unreliable source 

Unintentional change of data in an information system: LDAP, SIEM, SOC, ... 

Inadequate design and planning or lack of adaptation. 

Wrong definition of security procedures 

Damages resulting from a penetration testing due to a wrong design. 

Damage caused by a third party that is collaborating with the security department. 

Loss of (integrity of) sensitive information, information device, storage media and 


Unintentional 
damage 
(accidental) 


Damage/Loss 
documents. 
(IT Assets) = = = 
Destruction of records, devices ог storage media, for example because of a ransomware 
attack. 
Information leakage. 
Failures/ Failure of devices or systems LDAP, SIEM, SOC, ... 
Malfunction Failure or disruption of service providers LDAP, SIEM, SOC, ... 
Eavesdropping / Interception of information 
Interception / Replay of messages 
Hijacking Man in the Middle / Session hijacking 


Repudiation of actions 
Nefarious Activity 
/ Abuse 
Legal Violation of laws or regulations / Breach of legislation 
Failure to meet contractual requirements 
Unauthorized use of copyrighted material 


Knowledge 
Knowledge 


All threats should be considered. 
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Collection 


Communication 
Networks 
Communication 
Networks 


Cybersecurity 


Information and 


Communication 
Technologies 


Information 
Management 


Medium 


Medium 


Advanced 


Medium 


Advanced 


Basic 


Medium 


Advanced 


Basic 


Medium 
Advanced 
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Knowledge of collection disciplines and capabilities. 

Knowledge of the available tools and applications associated with 
collection requirements and collection management. 

Advanced knowledge about a communication technology 
Knowledge of the basic structure, architecture, and design of 
modern communication networks 

Knowledge on network management 

Basic knowledge about networks and communications 

Knowledge about industrial and TCP/IP protocols 

Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 

Knowledge of cryptography and cryptographic key management 
concepts: encryption algorithms and methodologies 

Knowledge of authentication, authorization, and access control 
methods 

Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities 

Knowledge of cyber defense and information security policies, 
procedures, and regulations 

Knowledge of ethical hacking principles and techniques 

Knowledge of concepts and practices of processing digital forensic 
data 

Knowledge of incident categories and incident responses 
Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 

Knowledge of risk management processes 

Knowledge of cybersecurity and privacy principles 

Knowledge of cyber threats and vulnerabilities 

Knowledge of computer programming principles 

Knowledge of software design tools, methods, and techniques 
Knowledge of database management systems, query languages, 
table relationships, and views 

Knowledge about the design and development of hardware devices 
Knowledge of information technology (IT) architectural concepts 
and frameworks 

Knowledge of the characteristics of physical and virtual data storage 
media 

Knowledge of operating systems 

Knowledge of systems engineering theories, concepts, and methods 
Knowledge of how Internet applications work 

Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 

Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 

Knowledge of data administration and data standardization policies 
Knowledge of sources, characteristics, and uses of the 
organization's data assets 

Knowledge of critical information technology 
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Laws and Medium e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Medium e Knowledge of organizational process improvement concepts and 
process maturity models 
e Knowledge about company organizational structure, roles and 
responsibilities 
Advanced e Knowledge of organizational security policies 
Technology Trend Basic e Knowledge of successful capabilities to identify the solutions to less 


common and more complex system problems: computer 
algorithms, mathematics 

e Knowledge of emerging technologies that have potential for 
exploitation 


[ITIDEEEENUEI аена C LU NEM xl 


Cybersecurity e  Skillin developing and applying security system access controls. 

e Skill in maintaining directory services. (e.g., Microsoft Active Directory, LDAP, etc.). 

e Skill in the use of social engineering techniques. (e.g., phishing, baiting, tailgating, 
etc.). 

e  Skillin determining how a security system should work (including its resilience and 
dependability capabilities) and how changes in conditions, operations, or the 
environment will affect these outcomes. 

е Skill in discerning the protection needs (i.e., security controls) of information 
systems and networks. 

e Skill in evaluating the adequacy of security designs. 

e  Skillin system, network, and OS hardening techniques. (e.g., remove unnecessary 
services, password policies, network segmentation, enable logging, least privilege, 
etc.). 

e Skill in assessing security systems designs. 

e Skill in translating operational requirements into protection needs (i.e., security 
controls). 

e Skill to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 

e Skill to use cyber defense Service Provider reporting structure and processes within 
one's own organization. 

e Skill in the use of penetration testing tools and techniques. 

e Skill in identifying and extracting data of forensic interest in diverse media (i.e., 
media forensics). 

e Skill in collecting, processing, packaging, transporting, and storing electronic 
evidence to avoid alteration, loss, physical damage, or destruction of data. 

e Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, ЕТК). 

e Skill іп conducting forensic analyses in multiple operating system environments 

(e.g., mobile device systems). 

Skill in deep analysis of captured malicious code (e.g., malware forensics). 

Skill in reviewing logs to identify evidence of past intrusions. 

Skill in using incident handling methodologies. 

Skill in processing digital evidence, to include protecting and making legally sound 

copies of evidence. 

e Skill in assessing and/or estimating effects generated during and after cyber 
operations. 

e Skill to design incident response for cloud service models. 
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e Skill to respond and take local actions in response to threat sharing alerts from 
service providers. 

e  Skillin detecting host and network based intrusions via intrusion detection 

technologies (e.g., Snort). 

Skill in performing impact/risk assessments. 

Skill in applying confidentiality, integrity, and availability principles. 

Skill in designing security controls based on cybersecurity principles and tenets. 

Skill in assessing security controls based on cybersecurity principles and tenets. 

(e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). 

e Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 

e  Skillin conducting vulnerability scans and recognizing vulnerabilities in security 
systems. 

e  Skillin recognizing and categorizing types of vulnerabilities and associated attacks. 

e Skill іп conducting application vulnerability assessments. 

e  Skillin recognizing vulnerabilities in security systems. (e.g., vulnerability and 
compliance scanning). 

e Skill in identifying cyber threats which may jeopardize organization and/or partner 

interests. 

Skill in interpreting vulnerability scanner results to identify vulnerabilities. 

Skill to anticipate new security threats. 

Skill to develop insights about the context of an organization's threat environment 

Skill to identify cybersecurity and privacy issues that stem from connections with 

internal and external customers and partner organizations. 

Information and е Skill in generating queries and reports. 

Communication e Skill to access the databases where plans/directives/guidance are maintained. 

Technologies e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 

rooms, SharePoint). 


Information e Skill to access information on current assets available, usage. 
Management e Skill to identify sources, characteristics, and uses of the organization's data assets. 
e Skill in using knowledge management technologies. 
e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill іп conducting social network analysis. 
e Skill in evaluating information for reliability, validity, and relevance. 
e Skill in recognizing relevance of information. 
e Skill in conducting information searches. 
Laws and e Skill іп complying with the legal restrictions for targeted information. 
Regulations 
Organisational e Skill to compare indicators/observables with requirements. 


e Skill to craft indicators of operational progress/success. 

Skill in talking to others to convey information effectively. 

Skill in preparing and presenting briefings. 

Skill in preparing plans and related correspondence. 

Skill in reviewing and editing plans. 

Skill in writing effectiveness reports. 

Skill to prepare and deliver reports, presentations and briefings, to include using 
visual aids or presentation technology. 


Ability 


Personal Skills 
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Cybersecurity e Ability to prioritize and allocate cybersecurity resources correctly and efficiently. 

e Ability to establish and maintain automated security control assessments 

e Ability to conduct a comprehensive assessment of the management, operational, 
and technical security controls. 

e Ability to assesses a security plan to help ensure that the plan provides a set of 
security controls for the system that meet the stated security requirements. 

e Ability to identify critical infrastructure systems with information communication 
technology that were designed without system security considerations. 

e Ability to recognize the unique aspects of the Communications Security (COMSEC) 
environment and hierarchy. 

e Ability to provide an assessment of the severity of weaknesses or deficiencies 
discovered in the system and its environment of operation and recommend 
corrective actions to address identified vulnerabilities. 

e Ability to prepare the final security assessment report containing the results and 
findings from the assessment. 

e Ability to apply secure system design tools, methods and techniques. 

e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 

e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 

e Ability to conduct systems security engineering activities (NIST SP 800-16). 


Information and e Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information e Ability to analyze test data. 

Management e Ability to evaluate information for reliability, validity, and relevance. 


e Ability to ensure information security management processes are integrated with 
strategic and operational planning processes. 

Laws and e Ability to interpret and apply laws, regulations, policies, and guidance relevant to 
Regulations organization cyber objectives. 

e Ability to monitor advancements in information privacy laws to ensure 
organizational adaptation and compliance. 

e Ability to author a privacy disclosure statement based on current laws. 

Organisational e Ability to ensure the organization has adequately trained personnel to assist in 
complying with security requirements in legislation, Executive Orders, policies, 
directives, instructions, standards, and guidelines. 

e Ability to coordinate with senior leadership of an organization to provide a 
comprehensive, organization-wide, holistic approach for addressing risk—an 
approach that provides a greater understanding of the integrated operations of the 
organization. 

e Ability to coordinate with senior leadership of an organization to develop a risk 
management strategy for the organization providing a strategic view of security- 
related risks for the organization. 

е Ability to coordinate with senior leadership of an organization to facilitate the 
sharing of risk-related information among authorizing officials and other senior 
leaders within the organization. 

e Ability to coordinate with senior leadership of an organization to provide oversight 
for all risk management-related activities across the organization to help ensure 
consistent and effective risk acceptance decisions. 
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e Ability to coordinate with senior leadership of an organization to ensure that 
authorization decisions consider all factors necessary for mission and business 
success. 

e Ability to coordinate with senior leadership of an organization to identify the 
organizational risk posture based on the aggregated risk from the operation and use 
of the systems for which the organization is responsible. 

e Ability to work closely with authorizing officials and their designated 
representatives to help ensure that an organization-wide security program is 
effectively implemented resulting in adequate security for all organizational 
systems and environments of operation. 

e Ability to work closely with authorizing officials and their designated 
representatives to help ensure that security considerations are integrated into 
programming/planning/budgeting cycles, enterprise architectures, and 
acquisition/system development life cycles. 

Ability to work closely with authorizing officials and their designated 
representatives to help ensure that security-related activities required across the 
organization are accomplished in an efficient, cost-effective, and timely manner. 

e Ability to approve security plans, memorandums of agreement or understanding, 
plans of action and milestones, and determine whether significant changes in the 
systems or environments of operation require reauthorization. 

* Ability to serve as the primary liaison between the enterprise architect and the 
systems security engineer and coordinates with system owners, common control 
providers, and system security officers on the allocation of security controls as 
system-specific, hybrid, or common controls. 

* Ability to ensure information system security, acquisition personnel, legal counsel, 
and other appropriate advisors and stakeholders are participating in decision 
making from system concept definition/review and are involved in, or approve of, 
each milestone decision through the entire system life cycle for systems. 


Power Plant Operator 
Table 32 contains a detailed a description of the Power Plant Operator Role including assets, threats, 
knowledge, skills and abilities. 


Table 32. Power Plant Operator Role Description. 


Role | Power Plant Operator 
[Role 


Power Plant Operator 


Role Description Power plant operators monitor, control, and configure the power plant operation. They 
use control boards (SCADA”) to distribute power from generators among loads and 
regulate the output of several generators. The main task of the plant operator is the 
same: 

e Ensuring the energy production according to the energy market agreements. 

e Surveillance the correct operation of the plant and the electrical substation 
uprating the electrical power to the distribution or transmission level. 

e Detect functional failures in the generation process. 


22 SCADA. Supervisory Control And Data Acquisition. 
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e He can act over trackers and inverters (PV plants) 
e Maintain the electronic equipment in perfect work status 
Stakeholders Energy Producers. 
Location In large power plants, the physical process is monitored and controlled from the control 


room of the plant, where the SCADA is located. In the case of the smaller renewable 
plants the supervision is done remotely, in the central headquarters of the Energy 
providers. 


Inventory of assets. Power plant components and devices. 

Operational Status, alarms, events, shortage, disturbances, ... 
Production data, weather and irradiation data, alarm 

Historical information summaries, general events, maintenance dates and 
registers 

Trending information: Production data, weather data, irradiation data 

Network topology, IP - MAC addresses, user credentials, 

permission, configuration files, ... 

Data Repositories: configuration files, asset inventory, fault 

registry, ... 

Databases: Backup repositories. In case of an attack the plant operator 
should be able to restore the whole system form the 
backup. 

SCADA. It receives information from the process and 

visualises the state of the components state and main 

process measurements. It also allows the operation, 

sending commands to the actuators. 

Forecasting Tools. In the renewable generation plant the 
Managed forecasting tools provides information about the weather 
software condition that affect the energy production. 

Automatic Voltage Regulator and Governor Control. The 

Applications AVR is the system for adjusting the power output of 
multiple generators at different power plants, in response 
to changes in the load. 

Automatic generation control (AGC) is a system for 
adjusting the power output of multiple generators at 
different power plants 

Fault Management. 

PLC software and program versions 


Managed and 
controlled 
information 


System Configuration 


Oriented to the staff Mail, print service, authentication service, ... 

Used services К File service, network service, name service, address service, 
Oriented to the network 

Clients PC, Notebook, Tablet, mobile-phone, printer, ... 

Media devices External storage 

Displays Monitor, Beamer 

Human interaction Keyboard, Mouse 

Power Plant, Control Centre (in case of remote supervision 

of the plant). 


Threats & Vulnerabilities 


Used hardware 


Infrastructure Facilities 
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Credential Steel. 

Unintentional Erroneous use or administration of devices and systems: weak password management, 

damage Using information from an unreliable source 

(accidental) Unintentional change of data in an information system. 
Inadequate design and planning or lack of adaptation. 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Damage/Loss Destruction of records, devices or storage media, for example because of a ransomware 

(IT Assets) attack. 
Information leakage that allow hackers to obtain private sensitive information: energy 
consumption, session data, access control data, ... 

Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and Information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
SoS 


Collection Basic Knowledge of collection management processes, capabilities, 
and limitations. 
e Knowledge of collection disciplines and capabilities. 
Communication Basic e Basic knowledge about networks and communications 
Networks e Knowledge of the basic structure, architecture, and design of 
modern communication networks 
e Knowledge about industrial and TCP/IP protocols 
e Knowledge of capabilities, applications, and potential 
vulnerabilities of network equipment including hubs, routers, 
switches, bridges, servers, transmission media, and related 
hardware 
Cybersecurity Basic e Knowledge of authentication, authorization, and access control 
methods. 
e Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities. 
e Knowledge of cyber defense and information security policies, 
procedures, and regulations. 
e Knowledge of ethical hacking principles and techniques. 
e Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 
e Knowledge of risk management processes 
e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 


All threats should be considered. 


Advanced e Knowledge of incident categories and incident responses 
Information and Basic e Knowledge of database management systems, query languages, 
Communication table relationships, and views 
Technologies e Knowledge about the design and development of hardware devices 
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e Knowledge of information technology (IT) architectural concepts 
and frameworks 
e Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 
e Knowledge of the characteristics of physical and virtual data storage 
media 
e Knowledge of operating systems 
e Knowledge of systems engineering theories, concepts, and methods 
Information Basic e Knowledge of sources, characteristics, and uses of the 
Management organization's data assets 
e Knowledge of data administration and data standardization policies 
e Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 
e Knowledge of critical information technology 
Laws and Basic e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Advanced e Knowledge of internal and external partner intelligence processes 


Technology Trend Basic e. 


and the development of information requirements and essential 
information. 

e Knowledge of intelligence disciplines 

e Knowledge of training and education policies, processes, and 
procedures 

e Knowledge of organizational process improvement concepts and 
process maturity models 

e Knowledge about company organizational structure, roles and 
responsibilities 

e Knowledge of organizational security policies 

e Knowledge of organizational security policies 

Knowledge of emerging technologies that have potential for 

exploitation 


Category БШ 


Cybersecurity 


Information and 
Communication 
Technologies 


Information 
Management 


Laws and 
Regulations 
Organisational 


Skill in applying confidentiality, integrity, and availability principles. 

Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 

Skill in generating queries and reports. 

Skill to access the databases where plans/directives/guidance are maintained. 

Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 

Skill to access information on current assets available, usage. 

Skill to identify sources, characteristics, and uses of the organization's data assets. 
Skill in using knowledge management technologies. 

Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 

Skill in recognizing relevance of information. 

Skill in conducting information searches. 

Skill in complying with the legal restrictions for targeted information. 


Skill to compare indicators/observables with requirements. 
Skill to craft indicators of operational progress/success. 
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Ability 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and е Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 

Organisational e Ability to effectively collaborate via virtual teams. 


e Ability to participate as a member of planning teams, coordination groups, and task 
forces as necessary. 


Facility Operator 
Table 33 contains a detailed a description of the Facility Operator Role including assets, threats, 
knowledge, skills and abilities. 


Table 33. Facility Operator 


Facility Operator 


Facility Operator 
Role Description Engineer that operates the electrical equipment of the power plant: RTUs, inverters, ... 
Stakeholders Energy producers. 


Location Power Plants 


[Type Category Assets | 
Inventory of assets. Power plant components and devices. 
Managed and з S 
panelled Operational Status, alarms, events, shortage, disturbances, ... 
; : : А Network topology, IP - MAC addresses, user credentials, 
information System Configuration ME : А 
permission, configuration files, ... 
Data Repositories: configuration files, asset inventory, fault 
registry, ... 
Managed Е: Backup repositories. In case of an attack the plant operator 
software should be able to restore a device. 
Applications Configuration tools 
Firmware RTU, IED 
Oriented to the staff Mail, print service, authentication service, ... 
Used services А File service, network service, name service, address service, 
Oriented to the network 
Smart grid RTU, IED, PLC, DCS, ... 
Clients PC, Notebook, Tablet, mobile-phone, printer, ... 
Used hardware Network Components Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point, ... 
Media devices External storage 
Infrastructure Facilities Power Plant. 
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Threats & Vulnerabilities 


Unintentional 
damage 
(accidental) 


Damage/Loss 
(IT Assets) 


Failures/ 
Malfunction 


Eavesdropping / 
Interception / 
Hijacking 


Nefarious Activity 
/ Abuse 


Credential Steel. 
Erroneous use or administration of devices and systems: weak password management, 


Using information from an unreliable source, for example a non-authenticated 
firmware, 

Unintentional change of data in an information system, wrong configuration of devices. 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Destruction of records, devices or storage media, for example because of a ransomware 
attack. 

Information leakage that allow hackers to obtain private sensitive information: 
configuration files, access control data, ... 

Failure of devices or systems that can generate false positives of incidents. 

Failure or disruption of communication links when no secure protocols or standards are 
used. 

Interception of information 

Replay of messages 

Network reconnaissance and Information gathering 

Man in the Middle / Session hijacking 

Repudiation of actions 


All threats should be considered. 


Knowledge 
anita 


Communication 
Networks 


Cybersecurity 


Information and 
Communication 
Technologies 


Information 
Management 


Cybersecurity 


Information and 
Communication 
Technologies 


Medium Basic knowledge about networks and communications 
e Knowledge of the basic structure, architecture, and design of 
modern communication networks 
e Knowledge on network management 
e Knowledge about industrial and TCP/IP protocolos 


Basic e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 
Medium e Knowledge about the design and development of hardware devices 


e Knowledge of information technology (IT) architectural concepts 
and frameworks 

e Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 

e Knowledge of operating systems 

e Knowledge of systems engineering theories, concepts, and methods 

Medium e Knowledge of sources, characteristics, and uses of the 

organization's data assets 


Skill in performing impact/risk assessments. 

e Skill in applying confidentiality, integrity, and availability principles. 

Skill in generating queries and reports. 

e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 
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Information e Skill to access information on current assets available, usage. 
Management e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 


tools in conducting open-source searches. 
e Skill іп recognizing relevance of information. 
e  Skillin conducting information searches. 


po Abilities OOOO OOOO OO 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
Organisational e Ability to effectively collaborate via virtual teams. 


Field Engineer 
Table 34 contains a detailed a description of the Field Engineer Role including assets, threats, 
knowledge, skills and abilities. 


Table 34. Field Engineer Role Description. 


oe Field Engineer 
СЭРА ЗА Э) 11 ONERE ори ан а а ОЦЕНЕ НЕП 


Field Engineer 

Role Description Engineer that is always present in the facility and may be instructed by the System 
Administrator or the facility operator to perform specific action for maintenance or 
infrastructure protection. 

Stakeholders Energy producers. 

Location Power Plants 


[Type Category Assets | 


Inventory of assets. Power plant components and devices. 
Managed and Operational Status, alarms, events, shortage, disturbances, ... of the 
controlled power plant equipment. 
information Network topology, IP - MAC addresses, user credentials, 


System Configuration AN а AUN 
у g permission, configuration files, ... 


Data Repositories: configuration files, asset inventory, fault 


Databases: ЕН x 
Managed Backup repositories. In case of an attack the plant operator 
software should be able to restore a device. 
Applications Configuration tools 
Firmware RTU 
Oriented to the staff Mail, print service, authentication service, ... 
Used services Е File service, network service, name service, address service, 
Oriented to the network 
Smart grid RTU, Inverter, ... 
шу Clients PC, Notebook, Tablet, mobile-phone, printer, ... 
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Network Components Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point, ... 
Media devices External storage 
Infrastructure Facilities Power Plant. 


Threats & Vulnerabilities 


Credential Steel. 


Unintentional Erroneous use or administration of devices and systems (e.g., weak password 
damage management). 
(accidental) Using information from an unreliable source, install wrong firmware, 


Unintentional change of data in an information system, wrong configuration of devices. 
Loss of (integrity of) sensitive information, information device, storage media and 


documents. 
Damage/Loss Destruction of records, devices or storage media, for example because of a ransomware 
(IT Assets) attack. 


Information leakage that allow hackers to obtain private sensitive information (e.g., 
configuration files, access control data). 


Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and Information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
ХЕ 


Communication Basic Basic knowledge about networks and communications. 
Networks Advanced knowledge about a communication technology. 
Knowledge on network management. 
Knowledge about industrial and TCP/IP protocols 
Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 
Communication Medium e Knowledge of the basic structure, architecture, and design of 
Networks modern communication networks 
Cybersecurity Basic e Knowledge of authentication, authorization, and access control 
methods 
e Knowledge of cyber defense and information security policies, 
procedures, and regulations. 
e Knowledge of ethical hacking principles and techniques. 
e Knowledge of risk management processes 
e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 
Medium e Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities. 
e Knowledge of incident categories and incident responses 
Basic e Knowledge about the design and development of hardware devices 


All threats should be considered. 
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Information and Medium e Knowledge of the characteristics of physical and virtual data storage 
Communication media 
Technologies 
Information Advanced e Knowledge of sources, characteristics, and uses of the 
Management organization's data assets 
Technology Trend Basic e Knowledge of emerging technologies that have potential for 


exploitation 


LCategory Skill d 


Cybersecurity e Skill in assessing security systems designs. 
e Skill in translating operational requirements into protection needs (i.e., security 
controls). 


e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
e Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 
Information and œ  Skillin generating queries and reports. 
Communication e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, УТС, chat 
Technologies rooms, SharePoint). 
Information e Skill to access information on current assets available, usage. 
Management e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill in designing a data analysis structure (i.e., the types of data a test must 
generate and how to analyse that data). 
Skill in developing data dictionaries. 
Skill in developing data models. 
Skill in recognizing relevance of information. 
Skill in conducting information searches. 


соо dau 
Cybersecurity e Ability to identify critical infrastructure systems with information communication 
technology that were designed without system security considerations. 

e Ability to recognize the unique aspects of the Communications Security (COMSEC) 
environment and hierarchy. 

e Ability to provide an assessment of the severity of weaknesses or deficiencies 
discovered in the system and its environment of operation and recommend 
corrective actions to address identified vulnerabilities. 

* Ability to prepare the final security assessment report containing the results and 
findings from the assessment. 

e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 

e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 

Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 


Personal Abilities Ability to effectively collaborate via virtual teams. 


© SDN microSENSE consortium Page | 137 
Public document 


SDN-pu Sense 


<) 


03.4 - Energy-related Personnel & Processes Readiness Evaluation 
Version 1.0 


e Ability to participate as a member of planning teams, coordination groups, and task 
forces as necessary. 


System Operator/Engineer 
Table 35 contains a detailed a description of the System Operator and Engineer Role including assets, 
threats, knowledge, skills and abilities. 


Table 35. System Operator / Engineer Role Description. 


System Operator / Engineer 


System Operator / Engineer 


Role Description The system operator is a person who controls and supervises the electric grid or a big 
part of it and is responsible for coordinating its various aspects to ensure grid’s 
availability and health. It is the entity responsible for the reliability of its local 
transmission and/or distribution system, and that operates or directs the operations of 
the grid facilities. 

Stakeholders TSO & DSO 

Location Control Centre. 


[Type Category | Assets | 
Inventory of Electrical Cables, relays, transformers, power switches, sensors, 
Assets actuators. 
Operational Status, alarms, events, shortage, disturbances 
Managed and Production data, weather data, alarm summaries, general 


Historical information К 3 
controlled events, maintenance dates and registers 


information И" : Consumption habits that can predict the near future 

Trending information: Р 2 

consumption and renewable generation. 

Network topology, IP - MAC addresses, user credentials, 
permission, configuration files. 
Databases: Data Repositories, Backups, 
SCADA. It receives information from the electrical 
substations and visualises the state of the substation 
components (mainly circuit breakers or disconnection 
switches) and the electrical measurements. It also allows 
the operation, sending commands. 
Forecasting Tools, 
State Estimation, 
Load Shedding. They are useful in preventing system 
collapse in cases where the system generation is insufficient 
to match up to the load. 
Fault Management, 
Automatic Generation Control (AGC). AGC loop is a 
secondary frequency control loop that is concerned with 
fine-tuning the system frequency to its nominal value. The 
function of the AGC loop is to make corrections to inter- 
area tie-line flow and frequency deviation 


System Configuration 


Managed 
software Applications 
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Volt/VAR Control. DSO is responsible to maintain the 
distribution network voltage level. 

Advanced Metering Infrastructure (AMI). It manages 
consumer data through the smart meters allowing the DSO 
to increase reliability, incorporate renewable energy, and 
provide consumers with efficient billing process, granular 
consumption monitoring through Demand Side 


Management. 
Е Oriented to the staff Mail, print service, authentication service, ... 

Used services 2 a е n о е 
Oriented to the network File service, network service, name service, address service. 
Clients PC, Notebook, Tablet, mobile-phone, printer, ... 
Media devices External storage 

Used hardware > = B 
Displays Monitor, Beamer 
Human interaction Keyboard, Mouse 

Infrastructure Facilities Office, Control Centre. 


Threats & Vulnerabilities 


Credential Steel. 


Unintentional Erroneous use or administration of devices and systems: weak password management, 
damage Using information from an unreliable source 
(accidental) Unintentional change of data in an information system. 


Inadequate design and planning or lack of adaptation. 
Loss of (integrity of) sensitive information, information device, storage media and 


documents. 
Damage/Loss Destruction of records, devices or storage media, for example because of a ransomware 
(IT Assets) attack. 


Information leakage that allow hackers to obtain private sensitive information: energy 
consumption, session data, access control data, ... 


Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and Information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
SST 


All threats should be considered. 


Collection Basic Knowledge of the available tools and applications associated with 
collection requirements and collection management. 

Communication Basic e Basic knowledge about networks and communications 

Networks e Knowledge about industrial and TCP/IP protocols 

Cybersecurity Basic e Knowledge of authentication, authorization, and access control 
methods. 


e Knowledge of cyber defense and information security policies, 
procedures, and regulations. 

e Knowledge of cybersecurity and privacy principles 

e Knowledge of cyber threats and vulnerabilities 
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Advanced e Knowledge of incident categories and incident responses 
Information and Basic e Knowledge of database management systems, query languages, 
Communication table relationships, and views. 
Technologies е Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly. 
e Knowledge of systems engineering theories, concepts, and 
methods. 
Information Basic e Knowledge of sources, characteristics, and uses of the 
Management organization's data assets 
e Knowledge of data administration and data standardization policies 
Laws and Basic e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Basic e Knowledge of deconfliction processes and procedures 


e Knowledge of organizational human resource policies, processes, 
and procedures. 

e Knowledge about company organizational structure, roles and 
responsibilities 

e Knowledge of organizational security policies 

Technology Trend Basic e Knowledge of successful capabilities to identify the solutions to less 

common and more complex system problems: computer 
algorithms, mathematics. 

e Knowledge of emerging technologies that have potential for 
exploitation 


[Category Skill d 


Cybersecurity e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
e Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 
Information and Skill in generating queries and reports. 
Communication e Skill to access the databases where plans/directives/guidance are maintained. 
Technologies e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 


Information e Skill to access information on current assets available, usage. 
Management e Skill to identify sources, characteristics, and uses of the organization's data assets. 
e Skill in using knowledge management technologies. 
e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill іп recognizing relevance of information. 
e Skill in conducting information searches. 
Laws and e Skill іп complying with the legal restrictions for targeted information. 
Regulations 
Organisational e Skill to compare indicators/observables with requirements. 


e Skill to craft indicators of operational progress/success. 


Category Ability 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 


e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
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Information and өе Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information * Ability to evaluate information for reliability, validity, and relevance. 
Management 


Personal Abilities Ability to effectively collaborate via virtual teams. 
e Ability to participate as a member of planning teams, coordination groups, and task 


forces as necessa ry. 


Energy Trader 
Table 36 contains a detailed a description of the Energy Trader Role including assets, threats, 


knowledge, skills and abilities. 


Table 36. Energy Trader Role Description. 


Role Energy Trader 
[Role —— | Energy Trader 


Energy Trader 
Role Description Energy trader is responsible for the trading of Energy between cooperating parties. 
Coordinates with the Systems Operator to achieve the desired status of the grid. 
Stakeholders TSO 
Location Control Centre 


Type Category Assets 
Historical information Energy Trader should have the necessary market 
that must be storage by knowledge, potential customers and some knowledge of 
low. the legal framework. 


Energy market transactions: generation and consumption 
offer, prices matching, bilateral contracts. 


Trending information Historical information about generation and consumption 
Historical information about energy market transactions 
Managed and Marker evolution 
controlled Trading information Energy market agents 
information Historical information about generation and consumption 


Historical information about energy market transactions 
Marker evolution 
System Configuration Grid topology: transmission grid, generation centres, big 
consumers, primary substations, ... 
Energy actors (e.g., generators, aggregators, DSOs, energy 
traders). 
Information about the system operators, 
Market Agents, Generation and Consumption Bids, Bilateral 


D : E 
Managed ш contracts, Billing. 
software TT : 
Applications Market Operator Information System 
Mail Service, Authentication Service, Office applications 
Oriented to the staff Energy market information services (e.g., offers, contract, 


Used services - б 
evolution, adjustment). 


Oriented to the network File service, network service, name service, address service. 
Used hardware Clients PC, Notebook, Tablet, mobile-phone, printer, ... 
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Network Components Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point. 
Media devices External storage 
Displays Monitor, Beamer for internal meetings 
Human interaction Dock Station 
Infrastructure Facilities Access to the Company Premises 


Threats & Vulnerabilities 


Credential Steel. 


Unintentional Erroneous use or administration of energy market application (e.g., weak 
damage password management). 
(accidental) Using information from an unreliable source. 


Unintentional change of data in an information system. 
Loss of (integrity of) sensitive information, information device, storage media 
and documents. 
Damage/Loss Destruction of records, devices or storage media, for example because of a 
(IT Assets) ransomware attack. 
Information leakage that allow hackers to obtain private sensitive information 
(e.g., energy transaction, bank accounts). 
Failures/ Failure of devices or systems that can generate false positives of incidents. 
Malfunction Failure or disruption of communication links when no secure protocols or 
standards are used. 
Eavesdropping / Interception of information 
Interception / Replay of messages 
Hijacking Network reconnaissance and information gathering 
Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious 
Activity / Abuse 


Knowledge 
сона 


All threats should be considered. 


Collection Basic Knowledge of collection disciplines and capabilities. 
Communication Basic e Basic knowledge about networks and communications 
Networks e Knowledge about industrial and TCP/IP protocols 


e Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 

Cybersecurity Basic e Knowledge of authentication, authorization, and access control 
methods 

e Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities 

e Knowledge of cyber defense and information security policies, 
procedures, and regulations. 

e Knowledge of incident categories and incident responses 

e Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 

e Knowledge of risk management processes 

e Knowledge of cybersecurity and privacy principles 
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Information and 
Communication 
Technologies 


Information 
Management 


Laws and 
Regulations 
Organisational 


Basic ° 


Basic e 


e Knowledge of cyber threats and vulnerabilities 

Knowledge of database management systems, query languages, 

table relationships, and views. 

e Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 

e Knowledge of the characteristics of physical and virtual data storage 
media 

e Knowledge of operating systems. 

e Knowledge of how Internet applications work 

Knowledge of sources, characteristics, and uses of the 

organization's data assets 

e Knowledge of data administration and data standardization policies 

e Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 


Basic e Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures. 
Basic e Knowledge about company organizational structure, roles and 


responsibilities 
e Knowledge of organizational security policies 


ео meme] cL |t e Recreo 


Collection 


Cybersecurity 
Information and 
Communication 


Technologies 


Information 
Management 


Laws and 
Regulations 


Organisational 


Extract information from available tools and applications associated with collection 
requirements and collection operations management. 

Skill to use collaborative tools and environments for collection operations. 

Skill in performing impact/risk assessments. 

Skill in identifying critical target elements. 

Skill in generating queries and reports and using Boolean operators to construct 
simple and complex queries. 

Skill in maintaining databases. (i.e., backup, restore, delete data, transaction log 
files, etc.). 

Skill to access information on current assets available, usage. 

Skill in using knowledge management technologies. 

Skill in conducting social network analysis. 

Skill in recognizing relevance of information. 

Skill in conducting information searches. 

Skill in preserving evidence integrity according to standard operating procedures or 
national standards. 

Skill in complying with the legal restrictions. 

Skill in interfacing with customers. 

Skill in managing client relationships, including determining client 
needs/requirements, managing client expectations, and demonstrating 
commitment to delivering quality results. 

Skill in negotiating vendor agreements and evaluating vendor privacy practices. 
Skill to analyse and assess internal and external partner reporting. 

Skill in developing intelligence reports. 

Skill in applying organization-specific systems analysis principles and techniques. 
Skill to compare indicators/observables with requirements. 

Skill to craft indicators of operational progress/success. 

Skill to express orally and in writing the relationship between intelligence capability 
limitations and decision-making risk and impacts on the overall operation. 
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Skill in talking to others to convey information effectively. 

Skill in preparing and presenting briefings. 

Skill in reviewing and editing plans. 

Skill in writing effectiveness reports. 

Skill to prepare and deliver reports, presentations and briefings, to include using 
visual aids or presentation technology. 

Technology Trend e Skill їо remain aware of evolving technical infrastructures. 


Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). Ability to evaluate 
Technologies information for reliability, validity, and relevance. 

Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 

Laws and e Ability to monitor advancements in information privacy laws to ensure 
Regulations organizational adaptation and compliance. 


e Ability to author a privacy disclosure statement based on current laws. 

Ability to answer questions in a clear and concise manner. 

Ability to prepare and present briefings. 

Ability to communicate effectively 

Ability to produce technical documentation. 

Ability to apply collaborative skills and strategies. 

Ability to effectively collaborate via virtual teams. 

Ability to develop policy, plans, and strategy in compliance with laws, regulations, 
policies, and standards in support of organizational cyber activities. 


Organisational 


AMI and Demand Side Manager 
Table 37 contains a detailed a description of the AMI and Demand Side Manager Role including assets, 
threats, knowledge, skills and abilities. 


Table 37. AMI and Demand Side Manager Role Description. 


Role AMI & Demand Side Manager 
COO 


AMI and Demand Side Manager 


Role Description Gathering real-time meter readings and managing load control switching mechanisms 
Stakeholders DSO 
Location Control Centre 


Managed and Inventory of Electrical Smart meters, concentrators, smart appliances. 
controlled Assets 
information Operational Status, alarms, events, shortage, disturbances 
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: ee А Consumption / generation data, demand respond actions, 
Historical information E 
flexibility requests. 
UAE Я Consumption habits that can predict the near future 
Trending information: à я 
consumption and renewable generation. 
Trading information End user data for billing. 
е 7 Network topology, ІР - MAC addresses, user credentials, 
System Configuration PE Ў Ey TER 
permission, configuration files. 
Meter data management system. It stores 
Managed Databases: consumption/generation data gathered from the metering 
software infrastructure. 
Applications Demand Side Management. 
у Oriented to the staff Mail, print service, authentication service. 
Used services я я = т т Е 
Oriented to the network File service, network service, name service, address service. 
Smart Meters End devices, local and neighbourhood network access 
point, External displays, home automation components, 
Used hardware AMI head end. 
Clients PC, Notebook, Tablet, mobile-phone, printer. 
Media devices External storage. 
Infrastructure Facilities Office. 


Threats & Vulnerabilities 


Credential Steel. 


Unintentional Erroneous use or administration of energy market application (e.g., weak password 
damage management). 
(accidental) Using information from an unreliable source. 


Unintentional change of data in an information system. 
Loss of (integrity of) sensitive information, information device, storage media and 


documents. 
Damage/Loss Destruction of records, devices or storage media, for example because of a ransomware 
(IT Assets) attack. 


Information leakage that allow hackers to obtain private sensitive information (e.g., 
energy consumed or generated, bank accounts). 


Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
SETE 


All threats should be considered. 


Communication Basic Knowledge of collection disciplines and capabilities. 
Networks e Knowledge of the available tools and applications associated with 
collection requirements and collection management. 
Medium e Knowledge of collection management processes, capabilities, and 
limitations. 
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Communication 
Networks 
Information and 
Communication 
Technologies 


Information 
Management 


Laws and 
Regulations 
Organisational 


Technology Trend 


Basic e. 


Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities 
e Knowledge of cybersecurity and privacy principles 


Medium e Knowledge of incident categories and incident responses 

Advanced e Knowledge of authentication, authorization, and access control 
methods 

Basic e Knowledge about industrial and TCP/IP protocols 

Medium e Knowledge about networks and communications 

Basic e Knowledge of IT system operation, maintenance, and security 


Medium ° 


Basic ° 


Medium ° 


needed to keep equipment functioning properly. 
e Knowledge of operating systems 
Knowledge of database management systems, query languages, 
table relationships, and views 
e Knowledge about the design and development of hardware devices 
Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 
e Knowledge of critical information technology 
Knowledge of sources, characteristics, and uses of the 
organization's data assets 
e Knowledge of data administration and data standardization policies 


Basic e Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures 
Basic e Knowledge of deconfliction processes and procedures. 


Basic е 


e Knowledge of organizational process improvement concepts and 

process maturity models 

Knowledge of successful capabilities to identify the solutions to less 

common and more complex system problems: computer 

algorithms, mathematics. 

e Knowledge of emerging technologies that have potential for 
exploitation 


[ау [5ш ÉL NS 


Cybersecurity 


Information and 
Communication 
Technologies 


Information 
Management 


Laws and 
Regulations 
Organisational 


Skill in performing impact/risk assessments. 

Skill in applying confidentiality, integrity, and availability principles. 

Skill in generating queries and reports. 

Skill to access the databases where plans/directives/guidance are maintained. 
Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 

Skill to access information on current assets available, usage. 

Skill to identify sources, characteristics, and uses of the organization's data assets. 
Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 

Skill in recognizing relevance of information. 

Skill in conducting information searches. 

Skill in complying with the legal restrictions for targeted information. 


Skill to compare indicators/observables with requirements. 
Skill to craft indicators of operational progress/success. 
Skill in talking to others to convey information effectively. 
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АЫ 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and е Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 


Personal Abilities Ability to effectively collaborate via virtual teams. 
e Ability to participate as a member of planning teams, coordination groups, and task 


forces as necessa ry. 


Operational Technology Manager / Communication Administrator 
Table 38 contains a detailed a description of the Operational Technology and Communication 
Administrator Role including assets, threats, knowledge, skills and abilities. 


Table 38. Operational Manager / Communication Administrator Role Description. 


Operational Technology Manager 


Communication Administrator 


Operational Technology Manager / Communication Administrator 

Role Description The person responsible of the OT security and functioning at the control Room and in the 
Substations. 
Communication Admin is responsible for the availability of the communication network. 
She is the one that is responsible for allowing or cutting off traffic in the communication 
network, identifying cyberattacks etc. Works closely with the Security Admin. 
IT Systems and Network Administrator: This person manages and oversees the operation 
of the entire IT equipment. 


Stakeholders All 

Location Premises, buildings and offices, control centre, data centre. 
меб 
[Type Category [Assets 

Operational Status, alarms, events, shortage, disturbances, of the 

Managed and communication network. 

controlled Trending information: Network data, band width consumption, past problems. 

information Network topology, IP - MAC addresses, user credentials, 


System Configuration Y : DN 
permission, configuration files. 


Equipment Inventory: communication devices, IT servers, 
desktop, laptops, smart mobiles. 


Managed Databases: Backup repository. 
software Collects data and answer to requests. 
Server logs. 
Applications Asset Management System. 
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The Communication Admin should check the logs regarding 
any login attempts. She should also check the appropriate 
monitoring system for any anomalies on the 
communication network. 
Operating Systems 
Device Drivers 
Firmware 
Oriented to the staff Mail, print service, authentication service, ... 
Used services Oriented to the network File service, network service, name service, address service. 
Cloud services SaaS, laaS 
Servers Hardware servers 
Clients PC, Notebook, Tablet, mobile-phone, printer. 
Used hardware Network Components Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point. 
Media devices External storage 
Infrastructure Facilities Office, control centre, substations, power plants. 


Information leakage / sharing due to user error (credential steel). 

Erroneous use or administration of energy market application (e.g., weak password 
management). 

Using information from an unreliable source. 

Unintentional change of data in an information system. 

Inadequate design or lack of adaptation 

Loss of (integrity of) sensitive information, information device, storage media and 


Unintentional 
damage 
(accidental) 


documents. 
Damage/Loss Destruction of records, devices or storage media, for example because of a ransomware 
(IT Assets) attack. 


Information leakage that allow hackers to obtain private sensitive information (e.g., 
energy consumed or generated, bank accounts). 


Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
ETS 


Collection Basic Knowledge of collection management processes, capabilities, and 
limitations. 
e Knowledge of collection disciplines and capabilities. 
e Knowledge of the available tools and applications associated with 
collection requirements and collection management. 
Communication Medium e Advanced knowledge about a communication technology. 
Networks e Knowledge on network management 
e Knowledge about industrial and TCP/IP protocols 


All threats should be considered. 
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Cybersecurity 


Information and 
Communication 
Technologies 


Information 
Management 


Laws and 
Regulations 
Organisational 


Advanced 


Basic 


Medium 


Advanced 
Basic 


Medium 


Advanced 


Basic 


Medium 


Advanced 


Basic 


Basic 
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Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 

Basic knowledge about networks and communications 

Knowledge of the basic structure, architecture, and design of 
modern communication networks 

Knowledge of what constitutes a network attack and a network 
attack’s relationship to both threats and vulnerabilities 

Knowledge of cyber defense and information security policies, 
procedures, and regulations 

Knowledge of cryptography and cryptographic key management 
concepts: encryption algorithms and methodologies 

Knowledge of ethical hacking principles and techniques 

Knowledge of concepts and practices of processing digital forensic 
data 

Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 

Knowledge of risk management processes 

Knowledge of cybersecurity and privacy principles 

Knowledge of cyber threats and vulnerabilities 

Knowledge of authentication, authorization, and access control 
methods 

Knowledge of incident categories and incident responses 
Knowledge of database management systems, query languages, 
table relationships, and views 

Knowledge about the design and development of hardware devices 
Knowledge of information technology (IT) architectural concepts 
and frameworks 

Knowledge of operating systems 

Knowledge of computer programming principles 

Knowledge of software design tools, methods, and techniques 
Knowledge of how Internet applications work 

Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 

Knowledge of systems engineering theories, concepts, and methods 
Knowledge of the characteristics of physical and virtual data storage 
media 

Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 

Knowledge of critical information technology 

Knowledge of data administration and data standardization policies 
Knowledge of sources, characteristics, and uses of the 
organization’s data assets 

Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures 

Knowledge of organizational human resource policies, processes, 
and procedures. 

Knowledge of training and education policies, processes, and 
procedures 
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e Knowledge about company organizational structure, roles and 
responsibilities 

e Knowledge of organizational security policies 

e Knowledge of organizational security policies 

Organisational Advanced e Knowledge of internal and external partner intelligence processes 

and the development of information requirements and essential 
information 


e Knowledge of organizational process improvement concepts and 

process maturity models 
Technology Trend Basic e Knowledge of successful capabilities to identify the solutions to less 

common and more complex system problems: computer 
algorithms, mathematics 

e Knowledge of machine learning theory and principles 

e Knowledge of emerging technologies that have potential for 
exploitation 


[бекшу И 


Communication e Skill in survey, collection, and analysis of wireless LAN metadata. 


Networks e Skill in using non-attributable networks. 
e  Skillin using various open source data collection tools (e.g., online trade, DNS, 
mail). 


e  Skillin establishing a routing schema. 

e Skill in applying various subnet techniques (e.g., CIDR) 

e Skill in setting up physical or logical sub-networks that separate an internal local 
area network (LAN) from other untrusted networks. 

e Skill in analysing a target's communication networks. 

e Skill in analysing essential network data (e.g., router configuration files, routing 

protocols). 

Skill in analysing traffic to identify network devices. 

Skill in determining the physical location of network devices. 

Skill in identifying a target's communications networks. 

Skill in identifying a target's network characteristics. 

Skill in identifying the devices that work at each level of protocol models. 

Skill in interpreting traceroute results, as they apply to network analysis and 

reconstruction. 

e Skill in using research methods including multiple, different sources to reconstruct a 
target network. 

e Skill in analysing network traffic capacity and performance characteristics. 

e Skill in diagnosing connectivity problems. 

e Skill in installing, configuring, and troubleshooting LAN and WAN components such 
as routers, hubs, and switches. 

e Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, 
tcpdump). 

e  Skillin using network management tools to analyse network traffic patterns (e.g., 
simple network management protocol). 

e Skill in using protocol analysers. 

e  Skillin network systems management principles, models, methods (e.g., end-to-end 
systems performance monitoring), and tools. 

e  Skillin implementing and testing network infrastructure contingency and recovery 
plans. 
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e  Skillin performing packet-level analysis. 

e  Skillin analysing target communications internals and externals collected from 
wireless LANs. 

e Skill in extracting information from packet captures. 

e Skill in navigating network visualization software. 

Cybersecurity e Skill іп applying host/network access controls (e.g., access control list). 

e  Skillin developing and applying security system access controls. 

e Skill in the use of social engineering techniques. (e.g., phishing, baiting, tailgating). 

e Skill іп recognizing and interpreting malicious network activity in traffic. 

e Skill in recognizing denial and deception techniques of the target. 

е  Skillin determining how a security system should work (including its resilience and 
dependability capabilities) and how changes in conditions, operations, or the 
environment will affect these outcomes. 

е Skill in developing, testing, and implementing network infrastructure contingency 
and recovery plans. 

e  Skillin implementing, maintaining, and improving established network security 
practices. 

e  Skillin configuring and utilizing software-based computer protection tools (e.g., 
software firewalls, antivirus software, anti-spyware). 

e  Skillin securing network communications. 

е Skill in protecting a network against malware. (e.g., NIPS, anti-malware, 
restrict/prevent external devices, spam filters). 

e = Skill in integrating black box security testing tools into quality assurance process of 
software releases. 

e Skill in configuring and utilizing network protection components (e.g., Firewalls, 
VPNs, network intrusion detection systems). 

e  Skillin applying security controls. 

e  Skillin system, network, and OS hardening techniques. (e.g., remove unnecessary 
services, password policies, network segmentation, enable logging, least privilege). 

e Skill in assessing security systems designs. 

e Skill in configuring and utilizing computer protection components (e.g., hardware 
firewalls, servers, routers, as appropriate). 

e Skill in auditing firewalls, perimeters, routers, and intrusion detection systems. 

е  Skillin determining the effect of various router and firewall configurations on traffic 
patterns and network performance in both LAN and WAN environments. 

e Skill іп developing and deploying signatures. 

e Skill in using Virtual Private Network (VPN) devices and encryption. 

e  Skillin reading and interpreting signatures (e.g., snort). 

e Skill in using Public-Key Infrastructure (РКІ) encryption and digital signature 
capabilities into applications (e.g., S/MIME email, SSL traffic). 

e Skill іп the use of penetration testing tools and techniques. 

e Skill in collecting data from a variety of cyber defense resources. 

e Skill in identifying and extracting data of forensic interest in diverse media (i.e., 
media forensics). 

e  Skillin collecting, processing, packaging, transporting, and storing electronic 
evidence to avoid alteration, loss, physical damage, or destruction of data. 

e Skill in detecting host and network-based intrusions via intrusion detection 
technologies (e.g., Snort). 

e Skill in analysing malware. 

e Skill in performing impact/risk assessments. 
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e Skill іп applying confidentiality, integrity, and availability principles. 
e  Skillin designing security controls based on cybersecurity principles and tenets. 
e Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 
e Skill іп conducting vulnerability scans and recognizing vulnerabilities in security 
systems. 
e  Skillin recognizing and categorizing types of vulnerabilities and associated attacks. 
e  Skillin using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap). 
e Skill in interpreting vulnerability scanner results to identify vulnerabilities. 
Information and e Skill in generating queries and reports. 
Communication e  Skillin maintaining databases. (e.g., backup, restore, delete data, transaction log 
Technologies files). 
Skill in using Boolean operators to construct simple and complex queries. 
Skill in tuning sensors. 
Skill in physically disassembling PCs. 
Skill in identifying possible causes of degradation of system performance or 
availability and initiating actions needed to mitigate this degradation. 
e Skill іп conducting audits or reviews of technical systems. 
e Skill in identifying and anticipating system/server performance, availability, 
capacity, or configuration problems. 
e Skill in installing system and component upgrades. (i.e., servers, appliances, 
network devices). 
e  Skillin monitoring and optimizing system/server performance. 
e Skill in recovering failed systems/servers. (e.g., recovery software, failover clusters, 
replication, etc.). 
e Skill in identifying gaps in technical delivery capabilities. 
e Skill in determining installed patches on various operating systems and identifying 
patch signatures. 
e Skill in server administration. 
e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 
e Skill in identifying, modifying, and manipulating applicable system components 
within Windows, Unix, or Linux (e.g., passwords, user accounts, files). 
e  Skillin using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix 
XenDesktop/Server, Amazon Elastic Compute Cloud). 
e  Skillin operating system administration. (e.g., account maintenance, data backups, 
maintain system performance, install and configure new hardware/software). 
e Skill in using the appropriate tools for repairing software, hardware, and peripheral 
equipment of a system. 
e Skill in writing test plans. 
e Skill in evaluating test plans for applicability and completeness. 
Information e Skill to access information on current assets available, usage. 
Management e Skill to identify sources, characteristics, and uses of the organization's data assets. 
e  Skillin using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e  Skillin creating and extracting important information from packet captures. 
e Skill іп recognizing relevance of information. 
e  Skillin conducting information searches. 


Ability 
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Cybersecurity e Ability to provide an assessment of the severity of weaknesses or deficiencies 
discovered in the system and its environment of operation and recommend 
corrective actions to address identified vulnerabilities. 
e Ability to prepare the final security assessment report containing the results and 
findings from the assessment. 
e Ability to recognize that changes to systems or environment can change residual 
risks in relation to risk appetite. 
e Ability to apply network security architecture concepts including topology, 
protocols, components, and principles (e.g., application of defense-in-depth). 
e Ability to apply secure system design tools, methods and techniques. 
e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
e Ability to conduct vulnerability scans and recognize vulnerabilities in security 
systems. 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 
Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies e Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat). 
e Ability to examine digital media on multiple operating system platforms. 
Information e Ability to analyse test data. 
Management e Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, 


and Traceroute). 
Communication e Ability to operate network equipment including hubs, routers, switches, bridges, 
Networks servers, transmission media, and related hardware. 
Ability to operate the organization's LAN/WAN pathways. 
Ability to build architectures and frameworks. 
Ability to design architectures and frameworks. 
Ability to set up a physical or logical sub-networks that separates an internal local 
area network (LAN) from other untrusted networks. 
e Ability to operate common network tools (e.g., ping, traceroute, nslookup). 
* Ability to monitor traffic flows across the network. 
e Ability to monitor system operations and react to events in response to triggers 
and/or observation of trends or unusual activity. 
e Ability to deploy continuous monitoring technologies and tools. 
Personal Abilities Ability to effectively collaborate via virtual teams. 


Substation Engineer 
Table 39 contains a detailed a description of the Substation Engineer Role including assets, threats, 
knowledge, skills and abilities. 


Table 39. Substation Engineer Role Description. 


UE Substation Engineer 
Које 


Substation Engineer 
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Role Description 


The substation engineer is the responsible of the design of the transmission or 


distribution substations. The person in charge of configuring the electrical component of 


a substation. 


The substation engineer goes to the substation to program the protections and performs 
local test to assure their normal operations. Test to ensure the communication with the 
control centre are also performed. 


Stakeholders 
Location 


DSO, TSO 
Electrical Substations 


Inventory of Electrical 


Assets 
Managed and т 
Operational 
controlled 
information 
System Configuration 
Databases: 
Managed 
software RUE 
Applications 
Firmware 


Oriented to the staff 
Oriented to the network 
Smart Grid, microgrid 
Clients 

Network Components 


Used services 


Used hardware 


Media devices 
Human interaction 


Infrastructure Facilities 


Cables, relays, transformers, power switches, sensors, 
actuators, etc., of substations 

Status, alarms, events, shortage, disturbances, etc., of the 
communication network. 

Network topology, IP - MAC addresses, user credentials, 
permission, configuration files. 

Equipment Inventory (e.g., communication devices, IT 
servers, desktop, laptops, smart mobiles). 

Backup repository 

Asset Management System. 

Firmware versions installed in the devices 

Mail, print service, authentication service. 

File service, network service, name service, address service. 
RTU, IED, PLC, DCS 

PC, Notebook, Tablet, mobile-phone, printer. 

Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point. 

External storage 

Keyboard, mouse 

Substations 


Threats & Vulnerabilities 


Information leakage / sharing due to user error (credential steel). 


Unintentional 
damage 
(accidental) 


Erroneous use or administration of devices. 
Using information from an unreliable source (non-authorized firmware) 
Unintentional change of data in substation devices. 


Inadequate design or lack of adaptation 
Loss of (integrity of) sensitive information, information device, storage media and 


documents. 
Damage/Loss 


(IT Assets) 


Destruction of records, devices or storage media. 
Information leakage that allow hackers to obtain private sensitive information: 


substation architecture, device information, user guides, ... 


Failures/ 
Malfunction 
used. 
Eavesdropping / 
Interception / 
Hijacking 


Replay of messages 


Interception of information 


Failure of devices or systems that can generate false positives of incidents. 
Failure or disruption of communication links when no secure protocols or standards are 


Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 


Repudiation of actions 
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Nefarious Activity 
/ Abuse 


All threats should be considered. 


Knowledge 
беште 


Collection Basic 
Communication Basic 
Networks УЕ Л 
Advanced 
Cybersecurity Basic 
Medium 


Information and Basic 
Communication 
Technologies 


Advanced 
Information Basic 
Management 

Medium 
Laws and Basic 
Regulations 


Knowledge of collection disciplines and capabilities. 

Knowledge of the available tools and applications associated with 
collection requirements and collection management. 

Advanced knowledge about a communication technology 


Basic knowledge about networks and communications 

Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 

Knowledge of the basic structure, architecture, and design of 
modern communication networks 

Knowledge on network management 

Knowledge about industrial and TCP/IP protocols 

Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities 

Knowledge of cyber defense and information security policies, 
procedures, and regulations 

Knowledge of ethical hacking principles and techniques 

Knowledge of concepts and practices of processing digital forensic 
data 

Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 

Knowledge of cybersecurity and privacy principles 

Knowledge of cyber threats and vulnerabilities 

Knowledge of authentication, authorization, and access control 
methods 

Knowledge of incident categories and incident responses 
Knowledge of database management systems, query languages, 
table relationships, and views 

Knowledge about the design and development of hardware devices 
Knowledge of information technology (IT) architectural concepts 
and frameworks 

Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 

Knowledge of the characteristics of physical and virtual data storage 
media 

Knowledge of operating systems 

Knowledge of computer programming principles 

Knowledge of software design tools, methods, and techniques 
Knowledge of systems engineering theories, concepts, and methods 
Knowledge of sources, characteristics, and uses of the 
organization's data assets 

Knowledge of data administration and data standardization policies 
Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 

Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures 
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Organisational Advanced e Knowledge of internal and external partner intelligence processes 
and the development of information requirements and essential 
information 


e Knowledge of deconfliction processes and procedures 
e Knowledge of training and education policies, processes, and 
procedures 
e Knowledge about company organizational structure, roles and 
responsibilities 
e Knowledge of organizational security policies 
Technology Trend Medium e Knowledge of successful capabilities to identify the solutions to less 
common and more complex system problems: computer 
algorithms, mathematics 
e Knowledge of emerging technologies that have potential for 
exploitation 


Category ып d 


Cybersecurity e  Skillin assessing security systems designs. 
e Skill in translating operational requirements into protection needs (i.e., security 
controls). 


e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
e Skill in identifying critical target elements, to include critical target elements for the 
cyber domain. 
Information and е Skill in generating queries and reports. 
Communication e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, УТС, chat 
Technologies rooms, SharePoint). 
Information e Skill to access information on current assets available, usage. 
Management e  Skillin using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill іп designing a data analysis structure (i.e., the types of data a test must 
generate and how to analyze that data). 
Skill in developing data dictionaries. 
Skill in developing data models. 
Skill in recognizing relevance of information. 
Skill in conducting information searches. 


АБ 
Cybersecurity e Ability to identify critical infrastructure systems with information communication 
technology that were designed without system security considerations. 

e Ability to provide an assessment of the severity of weaknesses or deficiencies 
discovered in the system and its environment of operation and recommend 
corrective actions to address identified vulnerabilities. 

e Ability to prepare the final security assessment report containing the results and 
findings from the assessment. 

e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 

e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
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Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies 

Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 


Personal Abilities Ability to effectively collaborate via virtual teams. 
e Ability to participate as a member of planning teams, coordination groups, and task 


forces as necessa ry. 


Substation Operator 
Table 40 contains a detailed a description of the Substation Operator Role including assets, threats, 
knowledge, skills and abilities. 


Table 40. Substation Operator Role Description. 


Substation Operator 
| Substation Operator 00000000 


Substation Operator 

Role Description The person in charge of supervising the electrical components of a substation. Substation 
Operator is responsible to the normal function of the substation and coordinates with 
the grid operator to ensure power quality. 

Stakeholders DSO, TSO 

Location Electrical Substations 


Inventory of Electrical Cables, relays, transformers, power switches, sensors, 
Assets actuators, etc., of substations. 
Managed and т Е 
ООН Operational Status, alarms, events, shortage, disturbances, etc., of the 
р à communication network. 
information т 
: З Network topology, ІР - MAC addresses, user credentials, 
System Configuration e : 3 
permission, configuration files. 
Substation device inventory (electrical and electronical) 
Databases: : 
Managed Backup repository 
software AE. Local SCADA/HMI. This SCADA is deployed in large 
PP substations to facilitate its supervision and control. 
y Oriented to the staff Mail, print service, authentication service. 
Used services Е = 2 т Е з 
Oriented їо the network File service, network service, name service, address service. 
Smart Grid, microgrid RTU, IED, PLC, DCS 
Clients PC, Notebook, Tablet, mobile-phone, printer. 
Used hardware т 7 
Media devices External storage 
Human interaction Keyboard, mouse 
Infrastructure Facilities Substations 


Threats & Vulnerabilities 


Category 
Unintentional Information leakage / sharing due to user error (credential steel). 
damage Erroneous use or administration of devices. 
(accidental) Unintentional operation in the substation. 
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Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Damage/Loss : : х 
Destruction of records, devices ог storage media. 

(IT Assets) 2 NO AE Я 
Information leakage that allow hackers to obtain private sensitive information (e.g., 
substation architecture, device information, user guides). 

Failures/ Failure of devices or systems that can generate false positives of incidents. 

Malfunction Failure or disruption of communication links when no secure protocols or standards are 
used. 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 


Knowledge 
| Category | Level TIMES 


All threats should be considered. 


Communication Basic Basic knowledge about networks and communications 

Networks 

Cybersecurity Basic e Knowledge of authentication, authorization, and access control 
methods 


e Knowledge of incident categories and incident responses 
e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 


Information and Basic e Knowledge of IT system operation, maintenance, and security 
Communication needed to keep equipment functioning properly 
Technologies e Knowledge of systems engineering theories, concepts, and methods 
Information Basic e Knowledge of data administration and data standardization policies 
Management e Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 
Medium e Knowledge of sources, characteristics, and uses of the 
organization's data assets 
Laws and Medium e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Advanced e Knowledge of organizational human resource policies, processes, 


and procedures. 
e Knowledge about company organizational structure, roles and 
responsibilities 
e Knowledge of organizational security policies 
Technology Trend Medium e Knowledge of successful capabilities to identify the solutions to 
less common and more complex system problems: computer 
algorithms, mathematics 
e Knowledge of emerging technologies that have potential for 
exploitation 


LCategory Skill d 


Cybersecurity e Skill іп performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
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Information and 
Communication 


Skill in generating queries and reports. 
Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 


Technologies rooms, SharePoint). 
Information e Skill to access information on current assets available, usage. 
Management e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 


tools in conducting open-source searches. 
e Skill іп recognizing relevance of information. 
e  Skillin conducting information searches. 


Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and өе Ability to operate different electronic communication systems and methods (e.g., e- 
Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
Personal Abilities өе Ability to effectively collaborate via virtual teams. 


Installer 
Table 41 contains a detailed a description of the Installer Role including assets, threats, knowledge, 
skills and abilities. 


Table 41. Installer Role Description. 


Role Description Installing and maintaining of the electrical and electronic devices 
Stakeholders DSO, TSO, manufacturer 
Location Electrical Substations 


Category | Assets o] 
Inventory of Electrical Cables, relays, transformers, power switches, sensors, 
Assets actuators, ... of substations. 
Managed and s н 
Operational Status, alarms, events, shortage, disturbances, ... of the 
controlled ES 
Td communication network. 
Я : Network topology, IP - MAC addresses, user credentials, 
System Configuration SUP : "e 
permission, configuration files. 
Substation device inventory (electrical and electronical) 
Databases: В 
Backup repository 
Me Local SCADA/HMI. This SCADA is deployed in large 
Managed Applications А / EN i й n y s 
ft substations to facilitate its supervision and control. 
software с Е Е Е 
Operating Systems Installed in the electronical devices 
Device Drivers Installed in the electronical devices 
Firmware Firmware versions installed in the devices 
Oriented to the staff Mail, print service, authentication service. 


Used services р з E " - 2 
Oriented to the network File service, network service, name service, address service. 
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Used hardware 


Infrastructure 


Cloud services Cloud repositories 

Smart Grid, Microgrid RTU, IED, PLC, DCS 

Servers Hardware servers 

Clients PC, Notebook, Tablet, mobile-phone, printer. 

Network Components Switch, router, bridge, repeater, modem, gateway, Firewall, 
WLAN access point. 

Media devices External storage 

Human interaction Keyboard, mouse 

Facilities Substations 


Threats & Vulnerabilities 


Unintentional 
damage 
(accidental) 


Damage/Loss 
(IT Assets) 


Failures/ 
Malfunction 


Eavesdropping / 
Interception / 
Hijacking 


Nefarious Activity 
/ Abuse 


Information leakage / sharing due to user error (credential steel). 

Erroneous use or administration of devices. 

Using information from an unreliable source 

Unintentional operation in the substation. 

Inadequate design or lack of adaptation 

Damage caused by a third party (in case the installer does not belong to the DSO/TSO) 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Destruction of records, devices or storage media. 

Information leakage that allow hackers to obtain private sensitive information (e.g., 
substation architecture, device information, user guides). 

Failure of devices or systems that can generate false positives of incidents. 

Failure or disruption of communication links when no secure protocols or standards are 
used. 

Interception of information 

Replay of messages 

Network reconnaissance and information gathering 

Man in the Middle / Session hijacking 

Repudiation of actions 


All threats should be considered. 


Knowledge 
Knowledge 


Communication 
Networks 


Cybersecurity 


Medium e Basic knowledge about networks and communications 
Advanced knowledge about a communication technology 
Knowledge on network management 
Knowledge about industrial and TCP/IP protocols 
Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 
Advanced e Knowledge of the basic structure, architecture, and design of 
modern communication networks 
Basic e Knowledge of authentication, authorization, and access control 
methods 
e Knowledge of what constitutes a network attack and a network 
attack's relationship to both threats and vulnerabilities 
e Knowledge of cyber defense and information security policies, 
procedures, and regulations 
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e Knowledge of cryptography and cryptographic key management 
concepts: encryption algorithms and methodologies 
e Knowledge of ethical hacking principles and techniques 
e Knowledge of concepts and practices of processing digital forensic 
data 
e Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 
e Knowledge of risk management processes 
e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 
Information and Basic e Knowledge of how Internet applications work 
Communication Medium e Knowledge of database management systems, query languages, 
Technologies table relationships, and views 
e Knowledge about the design and development of hardware devices 
e Knowledge of information technology (IT) architectural concepts 
and frameworks 
e Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 
e Knowledge of operating systems 
e Knowledge of software design tools, methods, and techniques 
Advanced e Knowledge of the characteristics of physical and virtual data storage 
media 
e Knowledge of computer programming principles 
Information Basic e Knowledge of sources, characteristics, and uses of the 
Management organization's data assets 


e Knowledge of data administration and data standardization policies 
e Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 
e Knowledge of critical information technology 
Laws and Medium e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 


| Category К 


Communication e Skill in using various open source data collection tools (online trade, DNS, mail, 
Networks etc.). 
e Skill in analysing essential network data (e.g., router configuration files, routing 

protocols). 

Skill in analysing traffic to identify network devices. 

Skill in analysing network traffic capacity and performance characteristics. 

Skill in diagnosing connectivity problems. 

Skill in installing, configuring, and troubleshooting LAN and WAN components such 

as routers, hubs, and switches. 

e Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, 
tcpdump). 

e  Skillin using network management tools to analyse network traffic patterns (e.g., 
simple network management protocol). 

e Skill in using protocol analysers. 

e  Skillin network systems management principles, models, methods (e.g., end-to-end 
systems performance monitoring), and tools. 

e Skill in navigating network visualization software. 
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Cybersecurity e  Skillin recognizing and interpreting malicious network activity in traffic. 

e Skill in recognizing denial and deception techniques of the target. 

e Skill іп system, network, and OS hardening techniques. (e.g., remove unnecessary 
services, password policies, network segmentation, enable logging, least privilege). 
Skill in developing and deploying signatures. 

Skill in using Virtual Private Network (VPN) devices and encryption. 

Skill in reading and interpreting signatures (e.g., snort). 

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature 
capabilities into applications (e.g., S/MIME email, SSL traffic). 

e  Skillin performing impact/risk assessments. 

e Skill in applying confidentiality, integrity, and availability principles. 

e Skill in identifying critical target elements, to include critical target elements for the 

cyber domain. 
Information and e Skill in generating queries and reports. 
Communication e Skill in maintaining databases. (i.e., backup, restore, delete data, transaction log 
Technologies files). 


Skill in using Boolean operators to construct simple and complex queries. 
Skill in tuning sensors. 
Skill in physically disassembling PCs. 
Skill in identifying and anticipating system/server performance, availability, 
capacity, or configuration problems. 
e Skill in installing system and component upgrades. (i.e., servers, appliances, 
network devices). 
e Skill in determining installed patches on various operating systems and identifying 
patch signatures. 
e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 
e Skill in identifying, modifying, and manipulating applicable system components 
within Windows, Unix, or Linux (e.g., passwords, user accounts, files). 
e  Skillin using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix 
XenDesktop/Server, Amazon Elastic Compute Cloud). 
e  Skillin operating system administration. (e.g., account maintenance, data backups, 
maintain system performance, install and configure new hardware/software). 
e Skill in using the appropriate tools for repairing software, hardware, and peripheral 
equipment of a system. 
e Skill in writing test plans. 
e Skill in evaluating test plans for applicability and completeness. 
Information e Skill to access information on current assets available, usage. 
Management e Skill to identify sources, characteristics, and uses of the organization's data assets. 
e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e  Skillin creating and extracting important information from packet captures. 
e Skill in recognizing relevance of information. 
e  Skillin conducting information searches. 


ом 
Cybersecurity e Ability to apply network security architecture concepts including topology, 
protocols, components, and principles (e.g., application of defense-in-depth). 
e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
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e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and өе Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 

Technologies e Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat). 
Information e Ability to analyse test data. 

Management e Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, 


and Traceroute). 
Communication e Ability to operate network equipment including hubs, routers, switches, bridges, 
Networks servers, transmission media, and related hardware. 
e Ability to operate common network tools (e.g., ping, traceroute, nslookup). 
Personal Abilities өе Ability to effectively collaborate via virtual teams. 


Prosumer 
Table 42 contains a detailed a description of the Prosumer Role including assets, threats, knowledge, 
skills and abilities. 


Table 42. Prosumer Role Description. 


Role Description Power generation at the point of consumption. Generating power on-site, rather than 
centrally, eliminates the cost, complexity, interdependencies, and inefficiencies 
associated with transmission and distribution. 

DIEL is a smart building with a Photovoltaic system installed on their roof, which will be 

controlled and monitored by the smart inverter and smart meters. Moreover, an energy 

storage system will be also installed (a proper size indoors battery) in order to store the 

excess amount of generated energy from the PV system. Every smart equipment of the 

DIEL building communicates with the smart network/meters installed in the building. 
Stakeholders Prosumer 


Location 
Category | Assets ЕЕЕ ЕЕ СЕЕ а 
Inventory of Electrical Cables, relays, transformers, power switches, sensors, 
Assets actuators. 
Operational Status, alarms, events, shortage, disturbances, of the 
devices deployed at home. 
Historical information Information that must be storage by law (e.g., suppl 
Managed and ои (eg иу 
contracts). 
controlled ETT я т Я 
poration Trending information Information about the past that can be used to predict 
future generation and consumptions. It can be also used to 
select the energy supplier/aggregator. 
Trading information Energy transactions, flexibility actions. 
: А Network topology, IP - MAC addresses, user credentials, 
System Configuration 60 P ву npe 
permission, configuration files. 
Databases: Consumption and generation data repository (cloud). 
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R HEMS (Home Energy Management System) to supervise 
Ра Applications and control the generation, storage and consumption of 


Used services 


Used hardware 


Infrastructure 


eMobility 


energy and control de operation of the smart appliances. 
Mail, print service, authentication service. 
SaaS, laaS 


Oriented to the staff 
Cloud services 


Microgrid Smart Inverter, battery management system, central 
decision units, smart loads 

Smart Meter End devices, local and neighbourhood network access 
point, external displays, home automation components, 
AMI head end. 

Clients PC, Notebook, Tablet, mobile-phone, printer. 


Router, modem, firewall, VPN. 
External storage 
Keyboard, mouse 


Network Components 
Media devices 
Human interaction 


Facilities Building 
EV Charging Stations EV charging post 
Vehicles Electric vehicle 


Threats & Vulnerabilities 


Unintentional 
damage 
(accidental) 


Information leakage / sharing due to user error (credential steel) 
Erroneous use or administration of devices 

Using information from an unreliable source 

Unintentional change of data in an information system 


Inadequate design or lack of adaptation 

Damage caused by a third party. 

Damages resulting from a penetration testing 

Loss of (integrity of) sensitive information, information device, storage media and 
documents. 


Damage/Loss у ? 
ge/ Loss of device, storage media and documents. 

(IT Assets) s е Я 
Destruction of records, devices ог storage media, for example because of а ransomware 
attack. 
Information leakage that allow hackers to obtain private sensitive information (e.g., 
bank accounts, smart meter control access, consumption habits). 

Failures/ Failure of devices or systems 

Malfunction Failure or disruption of communication links 


Failure or disruption of main supply 

Failure or disruption of service providers 
Malfunction of equipment 

Insecure Interfaces 

Interception of information 

Replay of messages 

Network reconnaissance and information gathering 
Man in the Middle / Session hijacking 

Repudiation of actions 


Eavesdropping / 
Interception / 
Hijacking 


Оо ао) All threats should be considered. 


/ Abuse 

Outages Lack of electricity 
Absence of personnel, strike, etc., of the supplier company (aggregator) 
Loss of support services 
Internet outage 

Legal Violation of laws or regulations / Breach of legislation 
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Failure to meet contractual requirements 
Unauthorized use of copyrighted material 
owledge 
Collection Basic e Knowledge of collection disciplines and capabilities. 
Communication Basic e Basic knowledge about networks and communications 
Networks 
Cybersecurity Basic e Knowledge of concepts and practices of processing digital forensic 
data 
e Knowledge of risk management processes 
e Knowledge of cybersecurity and privacy principles 
e Knowledge of cyber threats and vulnerabilities 
Medium e Knowledge of authentication, authorization, and access control 
methods 
e Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 
Information and Basic e Knowledge of IT system operation, maintenance, and security 
Communication needed to keep equipment functioning properly 
Technologies e Knowledge of operating systems 
Medium e Knowledge about the design and development of hardware devices 
Information Basic e Knowledge of critical information technology 
Management Medium e Knowledge of sources, characteristics, and uses of the 
organization's data assets 
Laws and Basic e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 


Category a И 


Cybersecurity e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
Information and e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 


Communication rooms, SharePoint). 

Technologies 

Information e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
Management tools in conducting open-source searches. 


e Skill іп recognizing relevance of information. 


Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 
Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
Personal Abilities өе Ability to effectively collaborate via virtual teams. 
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Building Energy Manager 
Table 43 contains a detailed a description of the Building Energy Manager Role including assets, 


threats, knowledge, skills and abilities. 
Table 43. Building Energy Manager Role Description 


Role | Building Energy Manager 


Role Description Providing energy-related services to end-users. 


Stakeholders ESCO 
Location Office, Customer Building 
Inventory of Electrical Cables, relays, transformers, power switches, sensors, 
Assets actuators, etc., of the building. 
Operational Status, alarms, events, shortage, disturbances, etc., of the 
devices deployed in the building. 

Manazedand Historical information Information that must be storage by law (e.g., supply 

controlled contracts}: 

ПО АЙП Trending information Information about the past that can be used to predict 
future generation and consumptions. It can be also used to 
select the energy supplier/aggregator. 

Trading information Energy transactions, flexibility actions. 
: Д Network topology, ІР - MAC addresses, user credentials, 
System Configuration HN : AA 
permission, configuration files. 
Databases: Consumption and generation data repository (cloud). 

Managed HEMS (Home Energy Management System) to supervise 

software Applications and control the generation, storage and consumption of 
energy and control de operation of the smart appliances. 

Oriented to the staff Mail, print service, authentication service. 
Used services Oriented to the network File service, network service, name service, address service. 
Cloud services SaaS, laaS 
Microgrid Smart Inverter, battery management system, central 
decision units, smart loads 
Smart Meter End devices, local and neighbourhood network access 
point, external displays, home automation components, 
AMI head end. 
Meee) ere icine Clients PC, Notebook, Tablet, mobile-phone, printer. 
Network Components Router, modem, firewall, VPN. 
Media devices External storage 
Displays Monitor, Beamer 
Human interaction Keyboard, mouse 
Facilities Building 
Infrastructure Power Transformer Emergency Generator, UPS. 


Air Conditioning 
eMobility EV Charging Stations EV charging post 


Threats & Vulnerabilities 
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Information leakage / sharing due to user error (credential steel) 

Unintentional Erroneous use or administration of devices 

damage Using information from an unreliable source 

(accidental) Unintentional change of data in an information system 
Inadequate design or lack of adaptation 
Damage caused by a third party. 
Damages resulting from a penetration testing 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Damage/Loss 5 А 

(IT Assets) Loss of device, storage medis and documents. | 
Destruction of records, devices or storage media, for example because of а ransomware 
attack. 
Information leakage that allow hackers to obtain private sensitive information (e.g., 
bank accounts, smart meter control access, consumption habits). 

Failures/ Failure of devices or systems 

Malfunction Failure or disruption of communication links 
Failure or disruption of main supply 
Failure or disruption of service providers 
Malfunction of equipment 
Insecure Interfaces 

Eavesdropping / Interception of information 

Interception / Replay of messages 

Hijacking Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 
Nefarious Activity 
/ Abuse 
Outages Lack of electricity 
Absence of personnel, strike. 
Loss of support services 
Internet outage 
Legal Violation of laws or regulations / Breach of legislation 
Failure to meet contractual requirements 
Unauthorized use of copyrighted material 


Knowledge 
беш 


Collection Advanced Knowledge of collection management processes, capabilities, and 
limitations. 
e Knowledge of collection disciplines and capabilities. 
e Knowledge of the available tools and applications associated with 
collection requirements and collection management. 


All threats should be considered. 


Communication Medium e Basic knowledge about networks and communications 
Networks 
Cybersecurity Basic e Knowledge of incident categories and incident responses 
Advanced e Knowledge of authentication, authorization, and access control 
methods 
Information and Basic e Knowledge of IT system operation, maintenance, and security 
Communication needed to keep equipment functioning properly 
Technologies e Knowledge of operating systems 
Advanced e Knowledge about the design and development of hardware devices 
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Information Basic e Knowledge of sources, characteristics, and uses of the 
Management organization's data assets 
e Knowledge of the capabilities and functionality associated with 
content creation and processing technologies 
e Knowledge of critical information technology 
Medium e Knowledge of data administration and data standardization policies 
Laws and Basic e Knowledge of laws, policies, procedures, or governance relevant to 
Regulations cybersecurity for critical infrastructures 
Organisational Basic e Knowledge of organizational human resource policies, processes, 
and procedures. 
e Knowledge of organizational process improvement concepts and 
process maturity models 
e Knowledge about company organizational structure, roles and 
responsibilities 
Medium e Knowledge of intelligence disciplines 
Technology Trend Basic e Knowledge of successful capabilities to identify the solutions to less 


common and more complex system problems: computer 
algorithms, mathematics 

e Knowledge of emerging technologies that have potential for 
exploitation 


[Category | Skill аана 


Cybersecurity e  Skillin performing impact/risk assessments. 
e Skill in applying confidentiality, integrity, and availability principles. 
Information and Skill in generating queries and reports. 
Communication e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
Technologies rooms, SharePoint). 
Information e Skill to access information on current assets available, usage. 
Management e Skill to identify sources, characteristics, and uses of the organization's data assets. 
e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill іп conducting social network analysis. 
e Skill in recognizing relevance of information. 
e  Skillin conducting information searches. 


Laws and e  Skillin complying with the legal restrictions for targeted information. 
Regulations 
Organisational e Skill to compare indicators/observables with requirements. 


e Skill to craft indicators of operational progress/success. 


АБ 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 


Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
Information e Ability to evaluate information for reliability, validity, and relevance. 
Management 
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Laws and ° 
Regulations 
Personal Abilities e 


Ability to author a privacy disclosure statement based on current laws. 


Ability to effectively collaborate via virtual teams. 


Developer 


Table 44 contains a detailed a description of the Developer Role including assets, threats, knowledge, 


skills and abilities. 


Table 44. Developer Role Description 


Оеме!орег 


Role Description 
Stakeholders 
Location 


Managed and 


controlled 
information 
Databases: 
Applications 
Managed NER Systems 
software р EDY 


Device Drivers 
Firmware 

Oriented to the staff 
Oriented to the network 
Cloud services 

Smart Grid, 

Microgrid 


Used services 


Smart Meter 


Used hardware 
Servers 


Clients 

Network Components 
Media devices 
Displays 

Human interaction 


Infrastructure Facilities 


Developing and providing hardware and software components and solutions 
Hardware y Software Providers. 
Own Premises, Customer Building 


Copy of customer databases 
IDE (Integrated Development Environments). 


Mail, print service, authentication service, ... 

File service, network service, name service, address service. 
SaaS, laaS 

RTU, IED, PLC, DCS, 

Smart Inverter, battery management system, central 
decision units, smart loads 

End devices, local and neighbourhood network access 
point, external displays, home automation components, 
AMI head end. 

Hardware servers 

PC, Notebook, Tablet, mobile-phone, printer, ... 

Router, modem, firewall, VPN. 

External storage 

Monitor, Beamer 

Keyboard, mouse 

When working in the customer facilities 


Threats & Vulnerabilities 


Category 


Information leakage / sharing due to user error (credential steel) 


Erroneous use or administration of devices 

Using information from an unreliable source 
Unintentional change of data in an information system 
Inadequate design or lack of adaptation 


Unintentional 
damage 
(accidental) 
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Damage caused by a third party. 
Damages resulting from a penetration testing 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 

Damage/Loss à А 
Loss of device, storage media and documents. 

(IT Assets) ; : 2 
Destruction of records, devices ог storage media, for example because of а ransomware 
attack. 
Information leakage that allow hackers to obtain private sensitive information (e.g., 
bank accounts, smart meter control access, consumption habits). 

Failures/ Failure of devices or systems 

Malfunction Failure or disruption of communication links 


Eavesdropping / 
Interception / 
Hijacking 


Nefarious Activity 
/ Abuse 
Outages 


Legal 


Failure or disruption of main supply 

Failure or disruption of service providers 
Malfunction of equipment 

Insecure Interfaces 

Interception of information 

Replay of messages 

Network reconnaissance and information gathering 
Man in the Middle / Session hijacking 

Repudiation of actions 


All threats should be considered. 


Lack of electricity 

Absence of personnel, strike. 

Loss of support services 

Internet outage 

Violation of laws or regulations / Breach of legislation 
Failure to meet contractual requirements 
Unauthorized use of copyrighted material 


Knowledge 
Ет 


Collection Basic Knowledge of collection disciplines and capabilities. 
Communication Medium e Basic knowledge about networks and communications 
Networks e Advanced knowledge about a communication technology 
e Knowledge of the basic structure, architecture, and design of 
modern communication networks 
Advanced e Knowledge on network management 
e Knowledge about industrial and TCP/IP protocols 
e Knowledge of capabilities, applications, and potential vulnerabilities 
of network equipment including hubs, routers, switches, bridges, 
servers, transmission media, and related hardware 
Cybersecurity Basic e Knowledge of what constitutes a network attack and a network 


attack's relationship to both threats and vulnerabilities 

e Knowledge of cyber defense and information security policies, 
procedures, and regulations 

e Knowledge of cryptography and cryptographic key management 
concepts: encryption algorithms and methodologies 

e Knowledge of concepts and practices of processing digital forensic 
data 

e Knowledge of incident categories and incident responses 

e Knowledge of cybersecurity and privacy principles 
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e Knowledge of cyber threats and vulnerabilities 
Medium e Knowledge of authentication, authorization, and access control 
methods 
e Knowledge of ethical hacking principles and techniques 
e Knowledge of the latest intrusion techniques, methods and 
documented intrusions external to the organization 
Information and Basic e Knowledge about the design and development of hardware devices 
Communication e Knowledge of information technology (IT) architectural concepts 
Technologies and frameworks 
e Knowledge of IT system operation, maintenance, and security 
needed to keep equipment functioning properly 
e Knowledge of the characteristics of physical and virtual data storage 
media 
e Knowledge of operating systems 
Advanced e Knowledge of database management systems, query languages, 
table relationships, and views 
e Knowledge of computer programming principles 
e Knowledge of software design tools, methods, and techniques 
e Knowledge of how Internet applications work 
Information Basic e Knowledge of the capabilities and functionality associated with 
Management content creation and processing technologies 
Medium e Knowledge of data administration and data standardization policies 
Organisational Advanced e Knowledge of training and education policies, processes, and 
procedures 


e Knowledge about company organizational structure, roles and 
responsibilities 
e Knowledge of organizational security policies 
Technology Trend Basic e Knowledge of successful capabilities to identify the solutions to less 
common and more complex system problems: computer 
algorithms, mathematics 
e Knowledge of machine learning theory and principles 


kills CN 
| Category 1901 Е 
Communication e Skill in using various open source data collection tools (online trade, DNS, mail, 
Networks etc.). 
e Skill in analysing essential network data (e.g., router configuration files, routing 
protocols). 
e Skill in analysing network traffic capacity and performance characteristics. 
e Skill in diagnosing connectivity problems. 
e Skill in installing, configuring, and troubleshooting LAN and WAN components such 
as routers, hubs, and switches. 
e Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, 
tcpdump). 
e  Skillin network systems management principles, models, methods (e.g., end-to-end 
systems performance monitoring), and tools. 
e Skill in extracting information from packet captures. 
e Skill in navigating network visualization software. 
Cybersecurity e Skill in designing multi-level security/cross domain solutions. 
e Skill in developing and deploying signatures. 
e  Skillin using Virtual Private Network (VPN) devices and encryption. 
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Communication 
Technologies 
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Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest 
Algorithm [MD5]). 

Skill in reading and interpreting signatures (e.g., snort). 

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature 
capabilities into applications (e.g., S/MIME email, SSL traffic). 

Skill in assessing the application of cryptographic standards. 

Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, secure 
hashes, check constraints, etc.). 

Skill in performing impact/risk assessments. 

Skill in applying confidentiality, integrity, and availability principles. 

Skill in designing security controls based on cybersecurity principles and tenets. 
Skill in generating queries and reports. 

Skill in maintaining databases. (i.e., backup, restore, delete data, transaction log 
files, etc.). 


e Skill in optimizing database performance. 

e Skill in exploiting/querying organizational and/or partner collection databases. 

e Skill in using Boolean operators to construct simple and complex queries. 

e Skill in using databases to identify target-relevant information. 

e Skill in using targeting databases and software packages. 

e Skill in identifying possible causes of degradation of system performance or 
availability and initiating actions needed to mitigate this degradation. 

e Skill in systems integration testing. 

e Skill in identifying and anticipating system/server performance, availability, 
capacity, or configuration problems. 

e Skill in installing system and component upgrades. (i.e., servers, appliances, 
network devices). 

e Skill in determining installed patches on various operating systems and identifying 
patch signatures. 

e Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 
rooms, SharePoint). 

e Skill in identifying, modifying, and manipulating applicable system components 
within Windows, Unix, or Linux (e.g., passwords, user accounts, files). 

e Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix 
XenDesktop/Server, Amazon Elastic Compute Cloud, etc.). 

e Skill in operating system administration. (e.g., account maintenance, data backups, 
maintain system performance, install and configure new hardware/software). 

e Skill in writing code in a currently supported programming language (e.g., Java, 
C++). 

e Skill in identifying common encoding techniques (e.g., Exclusive Disjunction [XOR], 
American Standard Code for Information Interchange [ASCII], Unicode, Base64, 
Uuencode, Uniform Resource Locator [URL] encode). 

e Skill in writing scripts using В, Python, PIG, HIVE, SQL, etc. 

e Skill in using code analysis tools. 

e Skill in analysing language processing tools to provide feedback to enhance tool 
development. 

e Skill in interpreting compiled and interpretive programming languages. 

e Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., 
PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like 
parsing large data files, automating manual tasks, and fetching/processing remote 
data). 

e Skill in relevant programming languages (e.g., C++, Python, etc.). 

© SDN microSENSE consortium Page | 172 


Public document 


(9) SDN-uSense 


D3.4 - Energy-related Personnel & Processes Readiness Evaluation 


Version 1.0 
e Skill in remote command line and Graphic User Interface (GUI) tool usage. 
e Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, 
and strings analysis) to identify function and ownership of remote tools. 
e Skill in applying secure coding techniques. 
e  Skillin conducting software debugging. 
e Skill іп conducting test events. 
e Skill in configuring and optimizing software. 
e Skill in creating programs that validate and process multiple inputs including 
command line arguments, environmental variables, and input streams. 
e Skill іп developing operations-based testing scenarios. 
e  Skillin design modelling and building use cases (e.g., unified modelling language). 
e Skill in using the appropriate tools for repairing software, hardware, and peripheral 
equipment of a system. 
e Skill in writing test plans. 
e Skill in evaluating test plans for applicability and completeness. 
e Skill in interpreting results of debugger to ascertain tactics, techniques, and 
procedures. 
e  Skillin the use of design methods. 
e Skill in secure test plan design (е. в. unit, integration, system, acceptance). 
e Skill іп the use of design modelling (e.g., unified modelling language). 
e Skill in applying the systems engineering process. 
Information e  Skillin using data mapping tools. 
Management e Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 
tools in conducting open-source searches. 
e Skill in designing a data analysis structure (i.e., the types of data a test must 
generate and how to analyse that data). 
e Skill in developing data dictionaries. 
e  Skillin developing data models. 
e Skill in analysing volatile data. 
e  Skillin reading Hexadecimal data. 
e  Skillin data pre-processing (e.g., imputation, dimensionality reduction, 
normalization, transformation, extraction, filtering, smoothing). 
e  Skillin performing format conversions to create a standard representation of the 
data. 
e  Skillin developing machine understandable semantic ontologies. 
e Skill in analysing terminal or environment collection data. 
e  Skillin conducting social network analysis, buddy list analysis, and/or cookie 
analysis. 
e Skill in evaluating and interpreting metadata. 
e Skill іп recognizing relevance of information. 
e  Skillin conducting information searches. 
Laws and e 
Regulations 
Technology Skill in creating and utilizing mathematical or statistical models. 
Trends Skill in using scientific rules and methods to solve problems. 


Skill in using data analysis tools (e.g., Excel, STATA SAS, SPSS). 
Skill to remain aware of evolving technical infrastructures. 


Ability 
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Cybersecurity e Ability to apply network security architecture concepts including topology, 
protocols, components, and principles (e.g., application of defense-in-depth). 

e Ability to apply secure system design tools, methods and techniques. 

e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 

e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 

Information and e Ability to maintain databases. (e.g., backup, restore, delete data, transaction log 
Communication files). 
Technologies e Ability to optimize systems to meet enterprise performance requirements. 
e Ability to operate different electronic communication systems and methods (e.g., e- 
mail, VOIP, IM, web forums, Direct Video Broadcasts). 
e Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat). 
e Ability to examine digital media on multiple operating system platforms. 
e Ability to apply programming language structures (e.g., source code review) and 
logic. 
e Ability to develop secure software according to secure software deployment 
methodologies, tools, and practices. 
e Ability to employ best practices when implementing security controls within a 
system including software engineering methodologies; system and security 
engineering principles; secure design, secure architecture, and secure coding 
techniques. 
e Ability to apply system design tools, methods, and techniques, including automated 
systems analysis and design tools. 
e Ability to execute technology integration processes. 
e Ability to interpret and translate customer requirements into operational 
capabilities. 
Ability to analyse test data. 
Ability to build complex data structures and high-level programming languages. 
Ability to collect, verify, and validate test data. 
Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, 
and Traceroute). 
Communication e Ability to operate network equipment including hubs, routers, switches, bridges, 
Networks servers, transmission media, and related hardware. 

e Ability to operate common network tools (e.g., ping, traceroute, nslookup). 
Personal Abilities өе Ability to effectively collaborate via virtual teams. 


Information 
Management 


IT User 
Table 45 contains a detailed a description of the IT User Role including assets, threats, knowledge, skills 
and abilities. 


Table 45. IT User Role Description 


те пы ^^ EN 


Role Description We include in this role all those company personnel who perform a support function for 
the other roles defined above. 
Stakeholders All 
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Location Office 


SI IS ee 
Inventory of Electrical Depending on the department in which each person works, 
Assets they have access to information of a different nature. 
Managed and Operational 
controlled Historical information 
information Trending information 


Trading information 

System Configuration 

Databases: IT user, depending on its responsibility, can access to 
different types of applications and databases can be 


Managed 3 
e AA accessed. Currently, there is a tendency to upload all the 
software Applications e ; RD 
company's information to servers and repositories in the 
cloud. 
Oriented to the staff Mail, print service, authentication service. 
Used services Oriented to the network File service, network service, name service, address service. 
Cloud services SaaS, laaS 
Clients PC, Notebook, Tablet, mobile-phone, printer. 
Media devices External storage 
Used hardware : т 8 
Displays Monitor, Beamer 
Human interaction Keyboard, mouse 


Infrastructure Facilities Premises, buildings, office. 


Threats & Vulnerabilities 


Unintentional Information leakage / sharing due to user error (credential steel) 
damage Using information from an unreliable source 
(accidental) Unintentional change of data in an information system 


Damage caused by a third party. 
Loss of (integrity of) sensitive information, information device, storage media and 
documents. 


кийыш: Loss of device, storage media and documents. 
(IT Assets) à 8 р 
Destruction of records, devices or storage media, for example because of a ransomware 
attack. 
Information leakage that allow hackers to obtain private sensitive information 
Failures/ Failure or disruption of communication links 
Malfunction Failure or disruption of main supply 
Failure or disruption of service providers 
Malfunction of equipment 
Insecure Interfaces 
Eavesdropping / Interception of information 
Interception / Replay of messages 
Hijacking Network reconnaissance and information gathering 


Man in the Middle / Session hijacking 
Repudiation of actions 


Nefari Activit 
pc Er All threats should be considered. 


/ Abuse 
Outages Lack of resources 
Lack of electricity 
Absence of personnel, strike. 
Loss of support services 
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Legal 


Collection 


Communication 
Networks 


Cybersecurity 


Information and 
Communication 
Technologies 
Information 
Management 


Laws and 
Regulations 
Organisational 


Technology Trend Medium 


Internet outage 
Network outage 


Violation of laws or regulations / Breach of legislation 
Failure to meet contractual requirements 
Unauthorized use of copyrighted material 


Knowledge 
TS 


Basic 


Basic 


Basic 


Basic 


Basic 


Basic 


Basic 


Knowledge of collection management processes, capabilities, and 
limitations. 

Knowledge of collection disciplines and capabilities. 

Knowledge of the available tools and applications associated with 
collection requirements and collection management. 

Basic knowledge about networks and communications 

Advanced knowledge about a communication technology 
Knowledge of authentication, authorization, and access control 
methods 

Knowledge of database management systems, query languages, 
table relationships, and views 


Knowledge of sources, characteristics, and uses of the 
organization’s data assets 

Knowledge of data administration and data standardization policies 
Knowledge of laws, policies, procedures, or governance relevant to 
cybersecurity for critical infrastructures 

Knowledge of internal and external partner intelligence processes 
and the development of information requirements and essential 
information 

Knowledge of organizational human resource policies, processes, 
and procedures. 

Knowledge of intelligence disciplines 

Knowledge of organizational process improvement concepts and 
process maturity models 

Knowledge about company organizational structure, roles and 
responsibilities 

Knowledge of organizational security policies 

Knowledge of successful capabilities to identify the solutions to less 
common and more complex system problems: computer 
algorithms, mathematics 

Knowledge of machine learning theory and principles 

Knowledge of emerging technologies that have potential for 
exploitation 


[Category зы 


Cybersecurity 


Information and 
Communication 
Technologies 
Information 
Management 


Skill in performing impact/risk assessments. 
Skill in applying confidentiality, integrity, and availability principles. 
Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat 


rooms, SharePoint). 


Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and 


tools in conducting open-source searches. 
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e Skill in recognizing relevance of information. 


АЫ 
Cybersecurity e Ability to understand the basic concepts and issues related to cyber and its 
organizational impact. 
e Ability to apply cybersecurity and privacy principles to organizational requirements 
(relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
Information and œ Ability to operate different electronic communication systems and methods (e.g., e- 
Communication mail, VOIP, IM, web forums, Direct Video Broadcasts). 
Technologies 
Personal Abilities е Ability to effectively collaborate via virtual teams. 
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